<!DOCTYPE html>
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
Makes sense. The CWG has the first say in its own Charter.<br>
<br>
Thanks,<br>
Dimitris.<br>
<br>
<div class="moz-cite-prefix">On 13/9/2023 12:11 μ.μ., Martijn
Katerbarg wrote:<br>
</div>
<blockquote type="cite"
cite="mid:MW5PR17MB6012D83CC421D3F9CDAC2F32E3F0A@MW5PR17MB6012.namprd17.prod.outlook.com">
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<meta name="Generator"
content="Microsoft Word 15 (filtered medium)">
<!--[if !mso]><style>v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style><![endif]-->
<style>@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
font-size:10.0pt;
font-family:"Calibri",sans-serif;}a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#0563C1;
text-decoration:underline;}p.MsoListParagraph, li.MsoListParagraph, div.MsoListParagraph
{mso-style-priority:34;
margin-top:0cm;
margin-right:0cm;
margin-bottom:0cm;
margin-left:36.0pt;
font-size:10.0pt;
font-family:"Calibri",sans-serif;}span.EmailStyle20
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:windowtext;}.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;
mso-ligatures:none;}div.WordSection1
{page:WordSection1;}ol
{margin-bottom:0cm;}ul
{margin-bottom:0cm;}</style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
<div class="WordSection1">
<p class="MsoNormal"><span
style="font-size:11.0pt;mso-fareast-language:EN-US"
lang="EN-US">So while updating the charter really is
something for the Forum level (ping <a
id="OWAAMCF6AE7706B5650409B732264C247E4A9"
href="mailto:dzacharo@harica.gr" moz-do-not-send="true"><span
style="font-family:"Calibri",sans-serif;text-decoration:none">@Dimitris
Zacharopoulos (HARICA)</span></a>), I would be inclined
to say that a first update draft could be floated in the
CSWG mailing list for feedback. Any objections?<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;mso-fareast-language:EN-US"
lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;mso-fareast-language:EN-US"
lang="EN-US">I’ll start working on a draft update, and
include changes to the voting structure language as well.<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;mso-fareast-language:EN-US"
lang="EN-US"><br>
Regards,<br>
<br>
Martijn<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<div id="mail-editor-reference-message-container">
<div>
<div
style="border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0cm 0cm 0cm">
<p class="MsoNormal" style="margin-bottom:12.0pt"><b><span
style="font-size:12.0pt;color:black" lang="EN-US">From:
</span></b><span style="font-size:12.0pt;color:black"
lang="EN-US">Dean Coclin
<a class="moz-txt-link-rfc2396E" href="mailto:dean.coclin@digicert.com"><dean.coclin@digicert.com></a><br>
<b>Date: </b>Wednesday, 13 September 2023 at 10:14<br>
<b>To: </b>Tim Hollebeek
<a class="moz-txt-link-rfc2396E" href="mailto:tim.hollebeek@digicert.com"><tim.hollebeek@digicert.com></a>,
<a class="moz-txt-link-abbreviated" href="mailto:cscwg-public@cabforum.org">cscwg-public@cabforum.org</a>
<a class="moz-txt-link-rfc2396E" href="mailto:cscwg-public@cabforum.org"><cscwg-public@cabforum.org></a>, Martijn Katerbarg
<a class="moz-txt-link-rfc2396E" href="mailto:martijn.katerbarg@sectigo.com"><martijn.katerbarg@sectigo.com></a>, Bruce Morton
<a class="moz-txt-link-rfc2396E" href="mailto:bruce.morton@entrust.com"><bruce.morton@entrust.com></a><br>
<b>Subject: </b>RE: [Cscwg-public] Proposed Signing
Service, High Risk and Timestamp Changes<o:p></o:p></span></p>
</div>
<p class="MsoNormal"><span style="font-size:12.0pt"
lang="EN-US">What “</span><span style="font-size:11.0pt"
lang="EN-US">current timestamping BRs” are you referring
to?</span><span lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"
lang="EN-US"> </span><span lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"
lang="EN-US">As I said, timestamping strictly related to
code signing should be in scope.</span><span
lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"
lang="EN-US"> </span><span lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"
lang="EN-US">Dean</span><span lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:12.0pt"
lang="EN-US"> </span><span lang="EN-US"><o:p></o:p></span></p>
<div>
<div>
<p class="MsoNormal"><b><span
style="font-size:11.0pt;font-family:"Arial",sans-serif;color:#0174C3"
lang="EN-US">Dean Coclin </span></b><span
lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Arial",sans-serif;color:#48565E"
lang="EN-US">Sr. Director Business Development</span><span
lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Arial",sans-serif;color:#48565E"
lang="EN-US">M 1.781.789.8686</span><span
lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Arial",sans-serif;color:#48565E"
lang="EN-US"> </span><span lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"
lang="EN-US"><img
style="width:1.3437in;height:.3854in"
id="Picture_x0020_2"
src="cid:part1.GYdZsQcV.Syivsc6U@harica.gr"
class="" width="129" height="37" border="0"></span><span
lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"
lang="EN-US"> </span><span lang="EN-US"><o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><span style="font-size:12.0pt"
lang="EN-US"> </span><span lang="EN-US"><o:p></o:p></span></p>
<div>
<div
style="border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0cm 0cm 0cm">
<p class="MsoNormal"><b><span style="font-size:11.0pt"
lang="EN-US">From:</span></b><span
style="font-size:11.0pt" lang="EN-US"> Tim Hollebeek
<a class="moz-txt-link-rfc2396E" href="mailto:tim.hollebeek@digicert.com"><tim.hollebeek@digicert.com></a> <br>
<b>Sent:</b> Tuesday, September 12, 2023 8:27 PM<br>
<b>To:</b> Dean Coclin
<a class="moz-txt-link-rfc2396E" href="mailto:dean.coclin@digicert.com"><dean.coclin@digicert.com></a>;
<a class="moz-txt-link-abbreviated" href="mailto:cscwg-public@cabforum.org">cscwg-public@cabforum.org</a>; Martijn Katerbarg
<a class="moz-txt-link-rfc2396E" href="mailto:martijn.katerbarg@sectigo.com"><martijn.katerbarg@sectigo.com></a>; Bruce Morton
<a class="moz-txt-link-rfc2396E" href="mailto:bruce.morton@entrust.com"><bruce.morton@entrust.com></a><br>
<b>Subject:</b> RE: [Cscwg-public] Proposed Signing
Service, High Risk and Timestamp Changes</span><span
lang="EN-US"><o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><span lang="EN-US"> <o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"
lang="EN-US">This is just wrong, and Martijn was trying
to say the opposite thing anyway: we should update the
charter to explicitly state that timestamping is in
scope. And I agree.</span><span lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"
lang="EN-US"> </span><span lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"
lang="EN-US">The reason it can’t be true that
timestamping is out of scope is because the current
timestamping BRs have over 75+ references to
timestamping!</span><span lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"
lang="EN-US"><br>
We’ve always considered timestamping to be in scope,
because it’s an essential part of a secure code signing
ecosystem. </span><span lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"
lang="EN-US"> </span><span lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"
lang="EN-US">-Tim</span><span lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"
lang="EN-US"> </span><span lang="EN-US"><o:p></o:p></span></p>
<div
style="border:none;border-left:solid blue 1.5pt;padding:0cm 0cm 0cm 4.0pt">
<div>
<div
style="border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0cm 0cm 0cm">
<p class="MsoNormal"><b><span style="font-size:11.0pt"
lang="EN-US">From:</span></b><span
style="font-size:11.0pt" lang="EN-US">
Cscwg-public <<a
href="mailto:cscwg-public-bounces@cabforum.org"
moz-do-not-send="true"
class="moz-txt-link-freetext">cscwg-public-bounces@cabforum.org</a>>
<b>On Behalf Of </b>Dean Coclin via Cscwg-public<br>
<b>Sent:</b> Tuesday, September 5, 2023 10:15 AM<br>
<b>To:</b> Martijn Katerbarg <<a
href="mailto:martijn.katerbarg@sectigo.com"
moz-do-not-send="true"
class="moz-txt-link-freetext">martijn.katerbarg@sectigo.com</a>>;
<a href="mailto:cscwg-public@cabforum.org"
moz-do-not-send="true"
class="moz-txt-link-freetext">cscwg-public@cabforum.org</a>;
Bruce Morton <<a
href="mailto:bruce.morton@entrust.com"
moz-do-not-send="true"
class="moz-txt-link-freetext">bruce.morton@entrust.com</a>><br>
<b>Subject:</b> Re: [Cscwg-public] Proposed
Signing Service, High Risk and Timestamp Changes</span><span
lang="EN-US"><o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><span lang="EN-US"> <o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:12.0pt"
lang="EN-US">As has been pointed out many times, the
charter of the CSCWG does not include timestamping.
Hence anything related to that beyond Code Signing
would require a change to the charter.</span><span
lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:12.0pt"
lang="EN-US"> </span><span lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:12.0pt"
lang="EN-US">Thanks for the point Martijn.</span><span
lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:12.0pt"
lang="EN-US"><br>
Dean</span><span lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:12.0pt"
lang="EN-US"> </span><span lang="EN-US"><o:p></o:p></span></p>
<div>
<div>
<p class="MsoNormal"><b><span
style="font-size:11.0pt;font-family:"Arial",sans-serif;color:#0174C3"
lang="EN-US">Dean Coclin </span></b><span
lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Arial",sans-serif;color:#48565E"
lang="EN-US">Sr. Director Business Development</span><span
lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Arial",sans-serif;color:#48565E"
lang="EN-US">M 1.781.789.8686</span><span
lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Arial",sans-serif;color:#48565E"
lang="EN-US"> </span><span lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"
lang="EN-US"><img
style="width:1.3437in;height:.3854in"
id="Picture_x0020_1"
src="cid:part1.GYdZsQcV.Syivsc6U@harica.gr"
class="" width="129" height="37" border="0"></span><span
lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"
lang="EN-US"> </span><span lang="EN-US"><o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><span style="font-size:12.0pt"
lang="EN-US"> </span><span lang="EN-US"><o:p></o:p></span></p>
<div>
<div
style="border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0cm 0cm 0cm">
<p class="MsoNormal"><b><span style="font-size:11.0pt"
lang="EN-US">From:</span></b><span
style="font-size:11.0pt" lang="EN-US">
Cscwg-public <<a
href="mailto:cscwg-public-bounces@cabforum.org"
moz-do-not-send="true"
class="moz-txt-link-freetext">cscwg-public-bounces@cabforum.org</a>>
<b>On Behalf Of </b>Martijn Katerbarg via
Cscwg-public<br>
<b>Sent:</b> Tuesday, September 5, 2023 11:47 AM<br>
<b>To:</b> Bruce Morton <<a
href="mailto:bruce.morton@entrust.com"
moz-do-not-send="true"
class="moz-txt-link-freetext">bruce.morton@entrust.com</a>>;
<a href="mailto:cscwg-public@cabforum.org"
moz-do-not-send="true"
class="moz-txt-link-freetext">cscwg-public@cabforum.org</a><br>
<b>Subject:</b> Re: [Cscwg-public] Proposed
Signing Service, High Risk and Timestamp Changes</span><span
lang="EN-US"><o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><span lang="EN-US"> <o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"
lang="EN-US">Hey Bruce,</span><span lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"
lang="EN-US"><br>
I’m inclined to say that even the removal of TSC
Private Keys, is a new requirement. If we’re not
explicitly saying that existing keys up until this
point are excluded, then CA’s may need to remove a
fair number of keys. If so, we may need to allow for a
bit more time.</span><span lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"
lang="EN-US"> </span><span lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"
lang="EN-US">That also brings me to another concern
that popped up:</span><span lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"
lang="EN-US"> </span><span lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"
lang="EN-US">We’re adding more restrictions around
timestamp certificates. While these obviously are
heavily used for code signing, they’re not used just
for that purpose.</span><span lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"
lang="EN-US"> </span><span lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"
lang="EN-US">With that in mind, I think at least in
the next Forum level meeting, we should make all
members aware of the proposed changes, since it will
probably impact members that are not a member of the
CSWG. Secondly, I’ve started to wonder if we need to
get our charter updated to include the scope of
timestamping certificates, and possibly allow members
that do not issue code signing certificates but that
still are a TSA.</span><span lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"
lang="EN-US"> </span><span lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"
lang="SV">Regards,<br>
<br>
Martijn</span><span lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"
lang="EN-US"> </span><span lang="EN-US"><o:p></o:p></span></p>
<div id="mail-editor-reference-message-container">
<div>
<div
style="border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0cm 0cm 0cm">
<p class="MsoNormal" style="margin-bottom:12.0pt"><b><span
style="font-size:12.0pt;color:black"
lang="EN-US">From: </span></b><span
style="font-size:12.0pt;color:black"
lang="EN-US">Bruce Morton <<a
href="mailto:Bruce.Morton@entrust.com"
moz-do-not-send="true"
class="moz-txt-link-freetext">Bruce.Morton@entrust.com</a>><br>
<b>Date: </b>Thursday, 31 August 2023 at 17:30<br>
<b>To: </b>Martijn Katerbarg <<a
href="mailto:martijn.katerbarg@sectigo.com"
moz-do-not-send="true"
class="moz-txt-link-freetext">martijn.katerbarg@sectigo.com</a>>,
<a href="mailto:cscwg-public@cabforum.org"
moz-do-not-send="true"
class="moz-txt-link-freetext">cscwg-public@cabforum.org</a>
<<a href="mailto:cscwg-public@cabforum.org"
moz-do-not-send="true"
class="moz-txt-link-freetext">cscwg-public@cabforum.org</a>><br>
<b>Subject: </b>RE: [Cscwg-public] Proposed
Signing Service, High Risk and Timestamp Changes</span><span
lang="EN-US"><o:p></o:p></span></p>
</div>
<p class="MsoNormal"><span
style="font-size:11.0pt;mso-ligatures:standardcontextual" lang="EN-US">Hi
Martijn,</span><span lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;mso-ligatures:standardcontextual" lang="EN-US"> </span><span
lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;mso-ligatures:standardcontextual" lang="EN-US">Thanks
for the Github version!</span><span lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;mso-ligatures:standardcontextual" lang="EN-US"> </span><span
lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;mso-ligatures:standardcontextual" lang="EN-US">We
should discuss which items need a future effective
date. I assume the only issue is offline
Subordinate CA. I would propose 15 September 2024.
I don’t think there should be any impact to TSA
certificates, since the private key can only be
used for 15-months which is not changing.</span><span
lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;mso-ligatures:standardcontextual" lang="EN-US"> </span><span
lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;mso-ligatures:standardcontextual" lang="EN-US"> </span><span
lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;mso-ligatures:standardcontextual" lang="EN-US">Bruce.</span><span
lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;mso-ligatures:standardcontextual" lang="EN-US"> </span><span
lang="EN-US"><o:p></o:p></span></p>
<div>
<div
style="border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0cm 0cm 0cm">
<p class="MsoNormal"><b><span
style="font-size:11.0pt" lang="EN-US">From:</span></b><span
style="font-size:11.0pt" lang="EN-US"> Martijn
Katerbarg <<a
href="mailto:martijn.katerbarg@sectigo.com"
moz-do-not-send="true"
class="moz-txt-link-freetext">martijn.katerbarg@sectigo.com</a>>
<br>
<b>Sent:</b> Thursday, August 31, 2023 10:56
AM<br>
<b>To:</b> Bruce Morton <<a
href="mailto:Bruce.Morton@entrust.com"
moz-do-not-send="true"
class="moz-txt-link-freetext">Bruce.Morton@entrust.com</a>>;
<a href="mailto:cscwg-public@cabforum.org"
moz-do-not-send="true"
class="moz-txt-link-freetext">cscwg-public@cabforum.org</a><br>
<b>Subject:</b> [EXTERNAL] RE: [Cscwg-public]
Proposed Signing Service, High Risk and
Timestamp Changes</span><span lang="EN-US"><o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><span
style="font-size:11.0pt;mso-ligatures:standardcontextual" lang="EN-US"> </span><span
lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;mso-ligatures:standardcontextual" lang="EN-US">As
discussed on the last call, I’ve moved the
language into GitHub, which can be reviewed at <a
href="https://url.avanan.click/v2/___https:/github.com/cabforum/code-signing/compare/main...XolphinMartijn:code-signing:TSA_Changes?expand=1___.YXAzOmRpZ2ljZXJ0OmE6bzo0ZGY3NmNlYWMzMDA4N2ZkOWU0OWFjZmUwNzAxMWY3MTo2OjczZDc6N2JlZWYyZWRjNTU1ZTZmYmIxODIyMDZhNmU5NDY2YTY3ZTU2OTA2OWVhNDQ3YmNlNzVlZGQwY2U4MjdkYmJmMDpoOkY"
title="Protected by Avanan: https://github.com/cabforum/code-signing/compare/main...XolphinMartijn:code-signing:TSA_Changes?expand=1"
moz-do-not-send="true">https://github.com/cabforum/code-signing/compare/main...XolphinMartijn:code-signing:TSA_Changes?expand=1</a></span><span
lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;mso-ligatures:standardcontextual" lang="EN-US"> </span><span
lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;mso-ligatures:standardcontextual" lang="EN-US">In
this, I’ve also added text on logging key removal
and how to handle key recovery scenarios</span><span
lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;mso-ligatures:standardcontextual" lang="EN-US"> </span><span
lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;mso-ligatures:standardcontextual" lang="EN-US">It
occurs to me that we’re missing two details on
this item:</span><span lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;mso-ligatures:standardcontextual" lang="EN-US"> </span><span
lang="EN-US"><o:p></o:p></span></p>
<ol style="margin-top:0cm" type="1" start="1">
<li class="MsoListParagraph"
style="margin-left:0cm;mso-list:l2 level1 lfo3"><span
style="font-size:11.0pt;mso-ligatures:standardcontextual" lang="EN-US">What
kind of effective date are we looking to attach
to this</span><span lang="EN-US"><o:p></o:p></span></li>
<li class="MsoListParagraph"
style="margin-left:0cm;mso-list:l2 level1 lfo3"><span
style="font-size:11.0pt;mso-ligatures:standardcontextual" lang="EN-US">What
will apply to SubCAs and Timestamp Certificates
that have already been issued. </span><span
lang="EN-US"><o:p></o:p></span></li>
</ol>
<ol style="margin-top:0cm" type="1" start="2">
<ol style="margin-top:0cm" type="1" start="1">
<li class="MsoListParagraph"
style="margin-left:0cm;mso-list:l2 level2 lfo3"><span
style="font-size:11.0pt;mso-ligatures:standardcontextual" lang="EN-US">If
we want the same logic to be applied, do we
want to maybe give additional time for
existing setups?</span><span lang="EN-US"><o:p></o:p></span></li>
</ol>
</ol>
<p class="MsoNormal"><span
style="font-size:11.0pt;mso-ligatures:standardcontextual" lang="EN-US"> </span><span
lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;mso-ligatures:standardcontextual" lang="EN-US">Thoughts?</span><span
lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;mso-ligatures:standardcontextual" lang="EN-US"> </span><span
lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;mso-ligatures:standardcontextual" lang="EN-US">Regards,<br>
<br>
Martijn</span><span lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;mso-ligatures:standardcontextual" lang="EN-US"> </span><span
lang="EN-US"><o:p></o:p></span></p>
<div>
<div
style="border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0cm 0cm 0cm">
<p class="MsoNormal"><b><span
style="font-size:11.0pt" lang="EN-US">From:</span></b><span
style="font-size:11.0pt" lang="EN-US"> Bruce
Morton <<a
href="mailto:Bruce.Morton@entrust.com"
moz-do-not-send="true"
class="moz-txt-link-freetext">Bruce.Morton@entrust.com</a>>
<br>
<b>Sent:</b> Wednesday, 16 August 2023 20:00<br>
<b>To:</b> Martijn Katerbarg <<a
href="mailto:martijn.katerbarg@sectigo.com"
moz-do-not-send="true"
class="moz-txt-link-freetext">martijn.katerbarg@sectigo.com</a>>;
<a href="mailto:cscwg-public@cabforum.org"
moz-do-not-send="true"
class="moz-txt-link-freetext">cscwg-public@cabforum.org</a><br>
<b>Subject:</b> RE: [Cscwg-public] Proposed
Signing Service, High Risk and Timestamp
Changes</span><span lang="EN-US"><o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><span
style="font-size:11.0pt;mso-ligatures:standardcontextual" lang="EN-US"> </span><span
lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;mso-ligatures:standardcontextual" lang="EN-US">Agreed
with the change proposal.</span><span lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;mso-ligatures:standardcontextual" lang="EN-US"> </span><span
lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;mso-ligatures:standardcontextual" lang="EN-US">Thanks,
Bruce.</span><span lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;mso-ligatures:standardcontextual" lang="EN-US"> </span><span
lang="EN-US"><o:p></o:p></span></p>
<div>
<div
style="border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0cm 0cm 0cm">
<p class="MsoNormal"><b><span
style="font-size:11.0pt" lang="EN-US">From:</span></b><span
style="font-size:11.0pt" lang="EN-US"> Martijn
Katerbarg <<a
href="mailto:martijn.katerbarg@sectigo.com"
moz-do-not-send="true"
class="moz-txt-link-freetext">martijn.katerbarg@sectigo.com</a>>
<br>
<b>Sent:</b> Thursday, August 10, 2023 3:54 PM<br>
<b>To:</b> Bruce Morton <<a
href="mailto:Bruce.Morton@entrust.com"
moz-do-not-send="true"
class="moz-txt-link-freetext">Bruce.Morton@entrust.com</a>>;
<a href="mailto:cscwg-public@cabforum.org"
moz-do-not-send="true"
class="moz-txt-link-freetext">cscwg-public@cabforum.org</a><br>
<b>Subject:</b> [EXTERNAL] RE: [Cscwg-public]
Proposed Signing Service, High Risk and
Timestamp Changes</span><span lang="EN-US"><o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><span
style="font-size:11.0pt;mso-ligatures:standardcontextual" lang="EN-US"> </span><span
lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;mso-ligatures:standardcontextual" lang="EN-US">Thanks
Bruce,</span><span lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;mso-ligatures:standardcontextual" lang="EN-US"> </span><span
lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;mso-ligatures:standardcontextual" lang="EN-US">I’m
going through the TSA changes, and one thing
caught my eye:</span><span lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;mso-ligatures:standardcontextual" lang="EN-US"> </span><span
lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;mso-ligatures:standardcontextual" lang="EN-US">Section
6.2.7.2 now reads:</span><span lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><i><span
style="font-size:11.0pt;mso-ligatures:standardcontextual" lang="EN-US">A
Timestamp Authority MUST protect its Private Key
in offline Hardware Crypto Module conforming to
FIPS 140-2 level 3, Common Criteria EAL 4+
(ALC_FLR.2), or higher. The Timestamp Authority
MUST protect its signing operations in
accordance with the CA/Browser Forum's Network
and Certificate System Security Requirements.</span></i><span
lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;mso-ligatures:standardcontextual" lang="EN-US"> </span><span
lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;mso-ligatures:standardcontextual" lang="EN-US">The
definition of “Timestamp Authority” (TSA) reads:</span><span
lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><i><span
style="font-size:11.0pt;mso-ligatures:standardcontextual" lang="EN-US">A
service operated by the CA or a delegated third
party for its own code signing certificate users
that timestamps data using a certificate chained
to a public root, thereby asserting that the
data (or the data from which the data were
derived via a secure hashing algorithm) existed
at the specified time.</span></i><span
lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><i><span
style="font-size:11.0pt;mso-ligatures:standardcontextual" lang="EN-US"> </span></i><span
lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;mso-ligatures:standardcontextual" lang="EN-US">It
seems to me that this change would imply that a
TSA needs to keep all their private keys in
offline HCMs, including private keys associated
with timestamp certificates. I presume this
language is intended to only apply to the private
key associated with the TSA Root CA (and even the
Subordinate CAs, as far as I understood during
todays call) , but not to the private key
associated with the Timestamp Certificate itself.
</span><span lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;mso-ligatures:standardcontextual" lang="EN-US"> </span><span
lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;mso-ligatures:standardcontextual" lang="EN-US">Might
I suggest updating this language to:</span><span
lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><i><span
style="font-size:11.0pt;mso-ligatures:standardcontextual" lang="EN-US">A
Timestamp Authority MUST protect Private Keys
associated with its Root CA and Subordinate CA
certificates in offline Hardware Crypto Module
conforming to FIPS 140-2 level 3, Common
Criteria EAL 4+ (ALC_FLR.2), or higher. The
Timestamp Authority MUST protect its signing
operations in accordance with the CA/Browser
Forum's Network and Certificate System Security
Requirements.</span></i><span lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;mso-ligatures:standardcontextual" lang="EN-US"> </span><span
lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;mso-ligatures:standardcontextual" lang="EN-US">Regards,<br>
<br>
Martijn</span><span lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;mso-ligatures:standardcontextual" lang="EN-US"> </span><span
lang="EN-US"><o:p></o:p></span></p>
<div>
<div
style="border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0cm 0cm 0cm">
<p class="MsoNormal"><b><span
style="font-size:11.0pt" lang="EN-US">From:</span></b><span
style="font-size:11.0pt" lang="EN-US">
Cscwg-public <<a
href="mailto:cscwg-public-bounces@cabforum.org" moz-do-not-send="true"
class="moz-txt-link-freetext">cscwg-public-bounces@cabforum.org</a>>
<b>On Behalf Of </b>Bruce Morton via
Cscwg-public<br>
<b>Sent:</b> Friday, 21 July 2023 17:55<br>
<b>To:</b> <a
href="mailto:cscwg-public@cabforum.org"
moz-do-not-send="true"
class="moz-txt-link-freetext">cscwg-public@cabforum.org</a><br>
<b>Subject:</b> [Cscwg-public] Proposed
Signing Service, High Risk and Timestamp
Changes</span><span lang="EN-US"><o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><span
style="font-size:11.0pt;mso-ligatures:standardcontextual" lang="EN-US"> </span><span
lang="EN-US"><o:p></o:p></span></p>
<div
style="border:solid black 1.0pt;padding:2.0pt 2.0pt 2.0pt 2.0pt">
<p class="MsoNormal"
style="line-height:12.0pt;background:#FAFA03"><span
style="color:black" lang="EN-US">CAUTION: This
email originated from outside of the
organization. Do not click links or open
attachments unless you recognize the sender and
know the content is safe.</span><span
lang="EN-US"><o:p></o:p></span></p>
</div>
<p class="MsoNormal"><span style="font-size:11.0pt"
lang="EN-US"> </span><span lang="EN-US"><o:p></o:p></span></p>
<div>
<p class="MsoNormal"><span
style="font-size:11.0pt;mso-ligatures:standardcontextual" lang="EN-US">Based
on the discussions we had at the June F2F, I
have taken the opportunity to propose markups to
derive Signing Service, High Risk and
Timestamping ballots.</span><span lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;mso-ligatures:standardcontextual" lang="EN-US"> </span><span
lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;mso-ligatures:standardcontextual" lang="EN-US">The
base text is from the CSC-19 version of the
CSBRs. There may be some conflicting markups or
markups.</span><span lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;mso-ligatures:standardcontextual" lang="EN-US"> </span><span
lang="EN-US"><o:p></o:p></span></p>
<ol style="margin-top:0cm" type="1" start="1">
<li class="MsoListParagraph"
style="margin-left:0cm;mso-list:l4 level1 lfo7"><span
style="font-size:11.0pt;mso-ligatures:standardcontextual" lang="EN-US">Signing
Service – based on the former proposal, plus
updates based on the discussions</span><span
lang="EN-US"><o:p></o:p></span></li>
<li class="MsoListParagraph"
style="margin-left:0cm;mso-list:l4 level1 lfo7"><span
style="font-size:11.0pt;mso-ligatures:standardcontextual" lang="EN-US">High
Risk – Removal of high risk and takeover
attack, plus removed Subscriber key generation
methods prior to 1 June 2023 and the text
about delivering a software based private key.
Also propose removing the “any other method”
text.</span><span lang="EN-US"><o:p></o:p></span></li>
<li class="MsoListParagraph"
style="margin-left:0cm;mso-list:l4 level1 lfo7"><span
style="font-size:11.0pt;mso-ligatures:standardcontextual" lang="EN-US">Timestamping
– Maintain allowing 15 month private key usage
period and 135 month validity period, but
requiring private keys to be destroyed within
18 months if the timestamp certificate was
valid for more than 15 months. Stating that
the HSM supporting the Time-stamp CA must be
offline. Stating that the TSA must reject
SHA-1 signed timestamp requests</span><span
lang="EN-US"><o:p></o:p></span></li>
</ol>
<p class="MsoNormal"><span
style="font-size:11.0pt;mso-ligatures:standardcontextual" lang="EN-US"> </span><span
lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;mso-ligatures:standardcontextual" lang="EN-US">Hoping
this will help to clean up this text which we
have been discussing for a period of time. These
items are on the agenda for next week's meeting.</span><span
lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;mso-ligatures:standardcontextual" lang="EN-US"> </span><span
lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;mso-ligatures:standardcontextual" lang="EN-US"> </span><span
lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;mso-ligatures:standardcontextual" lang="EN-US">Thanks,
Bruce.</span><span lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><i><span
style="font-size:11.0pt" lang="EN-US">Any
email and files/attachments transmitted with
it are intended solely for the use of the
individual or entity to whom they are
addressed. If this message has been sent to
you in error, you must not copy, distribute or
disclose of the information it contains. <u>Please
notify Entrust immediately and delete the
message from your system.</u></span></i><span
style="font-size:11.0pt" lang="EN-US"> </span><span
lang="EN-US"><o:p></o:p></span></p>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</blockquote>
<br>
</body>
</html>