<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><meta http-equiv=Content-Type content="text/html; charset=utf-8"><meta name=Generator content="Microsoft Word 15 (filtered medium)"><style><!--
/* Font Definitions */
@font-face
{font-family:Wingdings;
panose-1:5 0 0 0 0 0 0 0 0 0;}
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:"MS PGothic";
panose-1:2 11 6 0 7 2 5 8 2 4;}
@font-face
{font-family:"\@MS PGothic";}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
font-size:10.0pt;
font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#0563C1;
text-decoration:underline;}
p.MsoListParagraph, li.MsoListParagraph, div.MsoListParagraph
{mso-style-priority:34;
margin-top:0in;
margin-right:0in;
margin-bottom:0in;
margin-left:.5in;
font-size:10.0pt;
font-family:"Calibri",sans-serif;}
p.null, li.null, div.null
{mso-style-name:null;
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:10.0pt;
font-family:"Calibri",sans-serif;}
span.pl-mh
{mso-style-name:pl-mh;}
span.EmailStyle24
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;
mso-ligatures:none;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
/* List Definitions */
@list l0
{mso-list-id:334262899;
mso-list-template-ids:27925116;}
@list l1
{mso-list-id:683479429;
mso-list-template-ids:2013194948;}
@list l1:level1
{mso-level-tab-stop:.5in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l1:level2
{mso-level-tab-stop:1.0in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l1:level3
{mso-level-tab-stop:1.5in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l1:level4
{mso-level-tab-stop:2.0in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l1:level5
{mso-level-tab-stop:2.5in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l1:level6
{mso-level-tab-stop:3.0in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l1:level7
{mso-level-tab-stop:3.5in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l1:level8
{mso-level-tab-stop:4.0in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l1:level9
{mso-level-tab-stop:4.5in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l2
{mso-list-id:992025958;
mso-list-type:hybrid;
mso-list-template-ids:962625554 -1028629442 67698691 67698693 67698689 67698691 67698693 67698689 67698691 67698693;}
@list l2:level1
{mso-level-start-at:0;
mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:52.2pt;
text-indent:-34.2pt;
font-family:Symbol;
mso-fareast-font-family:"MS PGothic";
mso-bidi-font-family:Calibri;}
@list l2:level2
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:"Courier New";}
@list l2:level3
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Wingdings;}
@list l2:level4
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Symbol;}
@list l2:level5
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:"Courier New";}
@list l2:level6
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Wingdings;}
@list l2:level7
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Symbol;}
@list l2:level8
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:"Courier New";}
@list l2:level9
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Wingdings;}
ol
{margin-bottom:0in;}
ul
{margin-bottom:0in;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></head><body lang=EN-US link="#0563C1" vlink="#954F72" style='word-wrap:break-word'><div class=WordSection1><p class=MsoNormal><span style='font-size:11.0pt'>I think these are good clarifications. I think it’s important to make sure the definition of Signing Service accurately encompasses the cases where a Subscriber is relying on the CA to provide key generation and protection, but doesn’t accidentally pull anything inappropriate else into scope.<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt'>If the definition and scope are not properly defined, it is almost inevitable that some existing or future requirement will have unexpected and damaging consequences.<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt'>-Tim<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt'><o:p> </o:p></span></p><div style='border:none;border-left:solid blue 1.5pt;padding:0in 0in 0in 4.0pt'><div><div style='border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0in 0in 0in'><p class=MsoNormal><b><span style='font-size:11.0pt'>From:</span></b><span style='font-size:11.0pt'> Cscwg-public <cscwg-public-bounces@cabforum.org> <b>On Behalf Of </b>Corey Bonnell via Cscwg-public<br><b>Sent:</b> Tuesday, October 17, 2023 12:34 PM<br><b>To:</b> Bruce Morton <bruce.morton@entrust.com>; Martijn Katerbarg <martijn.katerbarg@sectigo.com>; cscwg-public@cabforum.org<br><b>Subject:</b> Re: [Cscwg-public] Ballot CSC-21: Signing Service Update<o:p></o:p></span></p></div></div><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal><span style='font-size:11.0pt'>Hi Bruce,<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt'>I agree the current definition of Signing Service would encompass the CA’s own Subscriber keys. However, we are proposing to amend the definition to:<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt'>“An organization other than the Subscriber or any of its Affiliates, that generates the Key Pair and securely manages the Private Key associated with a Subscriber's Code Signing Certificate”. Under this definition, the CA’s own Signing Service would not qualify as a Signing Service for its own Subscriber key pairs.<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt'>Thanks,<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt'>Corey<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt'><o:p> </o:p></span></p><div><div style='border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0in 0in 0in'><p class=MsoNormal><b><span style='font-size:11.0pt'>From:</span></b><span style='font-size:11.0pt'> Bruce Morton <<a href="mailto:Bruce.Morton@entrust.com">Bruce.Morton@entrust.com</a>> <br><b>Sent:</b> Tuesday, October 17, 2023 3:27 PM<br><b>To:</b> Corey Bonnell <<a href="mailto:Corey.Bonnell@digicert.com">Corey.Bonnell@digicert.com</a>>; Martijn Katerbarg <<a href="mailto:martijn.katerbarg@sectigo.com">martijn.katerbarg@sectigo.com</a>>; <a href="mailto:cscwg-public@cabforum.org">cscwg-public@cabforum.org</a><br><b>Subject:</b> RE: Ballot CSC-21: Signing Service Update<o:p></o:p></span></p></div></div><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal><span style='font-size:11.0pt'>Hi Corey,<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt'>Can you please elaborate why you have the concern? <o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt'>My first take is an example where a Signing Service must use FIPS 140-2 Level 3 and the Subscriber must use minimum Level 2. So if the Subscriber key was generated by the Signing Service, then Level 3 would apply. I don’t see a conflict as both requirements are met. <o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt'>I guess I am not understanding why the Signing Service requirements would not apply even if the CA was using the Signing Service for its Subscriber’s keys.<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt'>Thanks, Bruce.<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt'><o:p> </o:p></span></p><div><div style='border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0in 0in 0in'><p class=MsoNormal><b><span style='font-size:11.0pt'>From:</span></b><span style='font-size:11.0pt'> Corey Bonnell <<a href="mailto:Corey.Bonnell@digicert.com">Corey.Bonnell@digicert.com</a>> <br><b>Sent:</b> Tuesday, October 17, 2023 3:06 PM<br><b>To:</b> Martijn Katerbarg <<a href="mailto:martijn.katerbarg@sectigo.com">martijn.katerbarg@sectigo.com</a>>; <a href="mailto:cscwg-public@cabforum.org">cscwg-public@cabforum.org</a>; Bruce Morton <<a href="mailto:Bruce.Morton@entrust.com">Bruce.Morton@entrust.com</a>><br><b>Subject:</b> [EXTERNAL] RE: Ballot CSC-21: Signing Service Update<o:p></o:p></span></p></div></div><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal><span style='font-size:11.0pt'>In the case where the CA is generating its own Key Pairs to issue itself code signing certificates, their obligations for key protection would be outlined in the sections pertaining to Subscriber Key Pair protection, even if the Private Key so happens to reside in a Signing Service that they run. I think this is fine but want to ensure there’s agreement on this interpretation.<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt'>Thoughts?<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt'>Thanks,<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt'>Corey<o:p></o:p></span></p><div><div style='border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0in 0in 0in'><p class=MsoNormal><b><span style='font-size:11.0pt'>From:</span></b><span style='font-size:11.0pt'> Cscwg-public <<a href="mailto:cscwg-public-bounces@cabforum.org">cscwg-public-bounces@cabforum.org</a>> <b>On Behalf Of </b>Martijn Katerbarg via Cscwg-public<br><b>Sent:</b> Friday, October 13, 2023 9:17 AM<br><b>To:</b> Bruce Morton <<a href="mailto:bruce.morton@entrust.com">bruce.morton@entrust.com</a>>; <a href="mailto:cscwg-public@cabforum.org">cscwg-public@cabforum.org</a><br><b>Subject:</b> Re: [Cscwg-public] Ballot CSC-21: Signing Service Update<o:p></o:p></span></p></div></div><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal><span style='font-size:11.0pt'>Hi Bruce,<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt'>I have a concern with the “Signing Service” definition:<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt'>“**Signing Service**: An organization that generates the Key Pair and securely manages the Private Key associated with a Subscriber's Code Signing Certificate.”<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt'>For subscribers that generate their own private keys and use these for signing (i.e., they manage them) I’m inclined to say that this would define them as a Signing Service.<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt'>Should we reword this to “An organization other than the Subscriber or any of its Affiliates, that generates the Key Pair and securely manages the Private Key associated with a Subscriber's Code Signing Certificate”?<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt'>Regards,<br><br>Martijn<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt'><o:p> </o:p></span></p><div id=mail-editor-reference-message-container><div><div style='border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in'><p class=MsoNormal style='margin-bottom:12.0pt'><b><span style='font-size:12.0pt;color:black;mso-fareast-language:EN-GB'>From: </span></b><span style='font-size:12.0pt;color:black;mso-fareast-language:EN-GB'>Cscwg-public <<a href="mailto:cscwg-public-bounces@cabforum.org">cscwg-public-bounces@cabforum.org</a>> on behalf of Bruce Morton via Cscwg-public <<a href="mailto:cscwg-public@cabforum.org">cscwg-public@cabforum.org</a>><br><b>Date: </b>Thursday, 12 October 2023 at 21:59<br><b>To: </b><a href="mailto:cscwg-public@cabforum.org">cscwg-public@cabforum.org</a> <<a href="mailto:cscwg-public@cabforum.org">cscwg-public@cabforum.org</a>><br><b>Subject: </b>[Cscwg-public] Ballot CSC-21: Signing Service Update<o:p></o:p></span></p></div><div style='border:solid black 1.0pt;padding:2.0pt 2.0pt 2.0pt 2.0pt'><p class=MsoNormal style='line-height:12.0pt;background:#FAFA03'><span style='color:black;mso-fareast-language:EN-GB'>CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe.<o:p></o:p></span></p></div><p class=MsoNormal><span style='font-size:11.0pt;mso-fareast-language:EN-GB'><o:p> </o:p></span></p><div><p style='margin:0in'><b><span style='font-size:13.5pt;font-family:"Arial",sans-serif;color:black'>Purpose of the Ballot</span></b><o:p></o:p></p><p class=MsoNormal id=bkmrk-this-ballot-updates-><span style='font-size:11.0pt'>This ballot updates the “Baseline Requirements for the Issuance and Management of Publicly‐Trusted Code Signing Certificates“ version 3.4 in order to clarify language regarding Signing Service and signing requests. The main goals of this ballot are to:</span><o:p></o:p></p><ol start=1 type=1 id=bkmrk-remove-dependencies-><li class=null style='mso-list:l1 level1 lfo3'><span class=pl-mh><span style='font-size:11.0pt'>Clarify the Signing Service definition and the expected deployment model.</span></span><o:p></o:p></li><li class=null style='mso-list:l1 level1 lfo3'><span class=pl-mh><span style='font-size:11.0pt'>Remove requirements for signing request.</span></span><o:p></o:p></li><li class=null style='mso-list:l1 level1 lfo3'><span class=pl-mh><span style='font-size:11.0pt'>Change text so Signing Service is not categorized as a Delegated Third Party.</span></span><o:p></o:p></li><li class=null style='mso-list:l1 level1 lfo3'><span class=pl-mh><span style='font-size:11.0pt'>Not allow Signing Service to transport Private Key to Subscriber.</span></span><o:p></o:p></li><li class=null style='mso-list:l1 level1 lfo3'><span class=pl-mh><span style='font-size:11.0pt'>Ensure Network Security Requirements are applicable to Signing Service.</span></span><o:p></o:p></li><li class=null style='mso-list:l1 level1 lfo3'><span class=pl-mh><span style='font-size:11.0pt'>State audit requirements for Signing Service.</span></span><o:p></o:p></li></ol><p class=MsoNormal><span style='font-size:11.0pt'>The following motion has been proposed by Bruce Morton of Entrust and endorsed by Tim Hollebeek of DigiCert and Ian McMillan.</span><o:p></o:p></p><p class=MsoNormal><span style='font-size:11.0pt'> </span><o:p></o:p></p><p style='margin:0in'><b><span style='font-size:13.5pt;font-family:"Arial",sans-serif;color:#0E101A'>MOTION BEGINS</span></b><o:p></o:p></p><p class=MsoNormal><span style='font-size:11.0pt'> </span><o:p></o:p></p><p class=MsoNormal><span style='font-size:11.0pt'>This ballot updates the “Baseline Requirements for the Issuance and Management of Publicly‐Trusted Code Signing Certificates” ("Code Signing Baseline Requirements") based on version 3.4. MODIFY the Code Signing Baseline Requirements as specified in the following redline: <a href="https://url.avanan.click/v2/___https:/urldefense.com/v3/__https:/github.com/cabforum/code-signing/compare/93ee9976cdc4e1104952146e3556800459694874..701d195fa95fe49e8a02435fc40fb0a018686866__;!!FJ-Y8qCqXTj2!ai_SiHTiSodTE_VWwZi8Z8QT_M2lCkP6nJYlFupqIB2vMo07Rcbx2E0bKw4GyZ1-pOj0h-PvD9Z5okpQ_IY$___.YXAzOmRpZ2ljZXJ0OmE6bzpiZjFlN2QwMWExMzg3MTlkZjRjMGM1ZTcyOGQwMzk5Nzo2Ojk3ZGE6MjI3ZTJmZTM1NjM2OTBlOGU0ZDIyMzAwZDYyNTc0YjY4NzM0OTEzM2FiZWU0ZDhhMTNhMDMxNmI4ZDBlMDA2MjpoOkY" title="Protected by Avanan: https://urldefense.com/v3/__https:/github.com/cabforum/code-signing/compare/93ee9976cdc4e1104952146e3556800459694874..701d195fa95fe49e8a02435fc40fb0a018686866__;!!FJ-Y8qCqXTj2!ai_SiHTiSodTE_VWwZi8Z8QT_M2lCkP6nJYlFupqIB2vMo07Rcbx2E0bKw">https://github.com/cabforum/code-signing/compare/93ee9976cdc4e1104952146e3556800459694874..701d195fa95fe49e8a02435fc40fb0a018686866</a></span><o:p></o:p></p><p class=MsoNormal><span style='font-size:11.0pt'> </span><o:p></o:p></p><p style='margin:0in'><b><span style='font-size:13.5pt;font-family:"Arial",sans-serif;color:#0E101A'>MOTION ENDS</span></b><o:p></o:p></p><p class=MsoNormal><span style='font-size:11.0pt'>The procedure for this ballot is as follows:</span> Discussion (7 days)<o:p></o:p></p><p class=MsoNormal> <o:p></o:p></p><p class=MsoListParagraph style='margin-left:52.2pt;text-indent:-34.2pt;mso-list:l2 level1 lfo5'><![if !supportLists]><span style='font-family:Symbol'><span style='mso-list:Ignore'>·<span style='font:7.0pt "Times New Roman"'> </span></span></span><![endif]>Start Time: 2023-10-12 20:00 UTC<o:p></o:p></p><p class=MsoListParagraph style='margin-left:52.2pt;text-indent:-34.2pt;mso-list:l2 level1 lfo5'><![if !supportLists]><span style='font-family:Symbol'><span style='mso-list:Ignore'>·<span style='font:7.0pt "Times New Roman"'> </span></span></span><![endif]>End Time: Not before 2023-10-19 20:00 UTC<o:p></o:p></p><p class=MsoNormal> <o:p></o:p></p><p class=MsoNormal>Vote for approval (7 days)<o:p></o:p></p><p class=MsoNormal> <o:p></o:p></p><p class=MsoListParagraph style='margin-left:52.2pt;text-indent:-34.2pt;mso-list:l2 level1 lfo5'><![if !supportLists]><span style='font-family:Symbol'><span style='mso-list:Ignore'>·<span style='font:7.0pt "Times New Roman"'> </span></span></span><![endif]>Start Time: TBD<o:p></o:p></p><p class=MsoListParagraph style='mso-margin-top-alt:0in;margin-right:0in;margin-bottom:12.0pt;margin-left:52.2pt;text-indent:-34.2pt;mso-list:l2 level1 lfo5'><![if !supportLists]><span style='font-family:Symbol'><span style='mso-list:Ignore'>·<span style='font:7.0pt "Times New Roman"'> </span></span></span><![endif]>End Time: TBD<o:p></o:p></p></div></div></div></div></div></body></html>