<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-2022-jp">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<!--[if !mso]><style>v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style><![endif]--><style><!--
/* Font Definitions */
@font-face
{font-family:Wingdings;
panose-1:5 0 0 0 0 0 0 0 0 0;}
@font-face
{font-family:SimSun;
panose-1:2 1 6 0 3 1 1 1 1 1;}
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:DengXian;
panose-1:2 1 6 0 3 1 1 1 1 1;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:"MS PGothic";
panose-1:2 11 6 0 7 2 5 8 2 4;}
@font-face
{font-family:"\@MS PGothic";}
@font-face
{font-family:"\@SimSun";
panose-1:2 1 6 0 3 1 1 1 1 1;}
@font-face
{font-family:Aptos;}
@font-face
{font-family:"\@DengXian";
panose-1:2 1 6 0 3 1 1 1 1 1;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
font-size:10.0pt;
font-family:"Calibri",sans-serif;
mso-fareast-language:JA;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#0563C1;
text-decoration:underline;}
p.MsoListParagraph, li.MsoListParagraph, div.MsoListParagraph
{mso-style-priority:34;
margin-top:0in;
margin-right:0in;
margin-bottom:0in;
margin-left:.5in;
font-size:10.0pt;
font-family:"Calibri",sans-serif;
mso-fareast-language:JA;}
p.null, li.null, div.null
{mso-style-name:null;
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:10.0pt;
font-family:"Calibri",sans-serif;
mso-fareast-language:JA;}
span.pl-mh
{mso-style-name:pl-mh;}
span.EmailStyle24
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;
mso-ligatures:none;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
/* List Definitions */
@list l0
{mso-list-id:242380547;
mso-list-template-ids:582412394;}
@list l1
{mso-list-id:683479429;
mso-list-template-ids:2013194948;}
@list l1:level1
{mso-level-tab-stop:.5in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l1:level2
{mso-level-tab-stop:1.0in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l1:level3
{mso-level-tab-stop:1.5in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l1:level4
{mso-level-tab-stop:2.0in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l1:level5
{mso-level-tab-stop:2.5in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l1:level6
{mso-level-tab-stop:3.0in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l1:level7
{mso-level-tab-stop:3.5in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l1:level8
{mso-level-tab-stop:4.0in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l1:level9
{mso-level-tab-stop:4.5in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l2
{mso-list-id:992025958;
mso-list-type:hybrid;
mso-list-template-ids:962625554 -1028629442 67698691 67698693 67698689 67698691 67698693 67698689 67698691 67698693;}
@list l2:level1
{mso-level-start-at:0;
mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:52.2pt;
text-indent:-34.2pt;
font-family:Symbol;
mso-fareast-font-family:"MS PGothic";
mso-bidi-font-family:Calibri;}
@list l2:level2
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:"Courier New";}
@list l2:level3
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Wingdings;}
@list l2:level4
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Symbol;}
@list l2:level5
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:"Courier New";}
@list l2:level6
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Wingdings;}
@list l2:level7
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Symbol;}
@list l2:level8
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:"Courier New";}
@list l2:level9
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Wingdings;}
ol
{margin-bottom:0in;}
ul
{margin-bottom:0in;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="EN-US" link="#0563C1" vlink="#954F72" style="word-wrap:break-word">
<div class="WordSection1">
<p class="MsoNormal"><span style="font-size:11.0pt;mso-fareast-language:ZH-CN">Ian has provided some feedback on the Signing Service ballot. Let�$B!G�(Bs plan to discuss on the working group call this week.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;mso-fareast-language:ZH-CN"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;mso-fareast-language:ZH-CN"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;mso-fareast-language:ZH-CN">Thanks, Bruce.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;mso-fareast-language:ZH-CN"><o:p> </o:p></span></p>
<div style="border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b><span style="font-size:11.0pt;mso-fareast-language:ZH-CN">From:</span></b><span style="font-size:11.0pt;mso-fareast-language:ZH-CN"> Ian McMillan <ianmcm@microsoft.com>
<br>
<b>Sent:</b> Monday, October 30, 2023 1:30 PM<br>
<b>To:</b> Bruce Morton <Bruce.Morton@entrust.com>; Dean Coclin <dean.coclin@digicert.com><br>
<b>Subject:</b> [EXTERNAL] RE: Ballot CSC-21: Signing Service Update<o:p></o:p></span></p>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<p class="MsoNormal" style="mso-line-height-alt:.75pt"><span style="font-size:1.0pt;color:white">Hi Bruce, Sorry for the delay. I think my current struggle is with the applicability of the NetSec BRs audit for Signing Service (and WebTrust for CA really). I
really see the �$B!H�(BSigning Service�$B!I�(B as a representative of the subscriber in terms </span>
<span style="font-size:1.0pt"><o:p></o:p></span></p>
</div>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Aptos",sans-serif;mso-fareast-language:EN-US">Hi Bruce,<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Aptos",sans-serif;mso-fareast-language:EN-US">Sorry for the delay.
<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Aptos",sans-serif;mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Aptos",sans-serif;mso-fareast-language:EN-US">I think my current struggle is with the applicability of the NetSec BRs audit for Signing Service (and WebTrust for CA really). I really see the �$B!H�(BSigning
Service�$B!I�(B as a representative of the subscriber in terms of providing key protection services and providing an interface to securely sign code with a certificate issued for signing, so the only requirements I am seeing are applicable are the private key protection
requirements. Even when a CA�$B!G�(Bs parent organization is providing a signing service option to subscribers, that entity is all about protecting the private key for the subscriber and is really not part of the �$B!H�(BCertificate System�$B!I�(B as you might interpret the definition
in the NetSec BRs. Today, Signing Services that are not offered by CAs are not audited under these criteria (e.g. Venafi, SignPath, etc.), but now we�$B!G�(Bd be make them get audits which are not really applicable. The other question I have now is how this audit
requirement will be enforced (CAs, root programs, both)? <o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Aptos",sans-serif;mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Aptos",sans-serif;mso-fareast-language:EN-US">I know we have discussed this point and we agreed we do not want to allow someone with a HSM and a laptop to stand up a signing service, but there
is really nothing stopping that from happening now because the subscriber private key protection requirements are what come into play if the subscriber chooses to work with a signing service that is not from a CA.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Aptos",sans-serif;mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Aptos",sans-serif;mso-fareast-language:EN-US">Thanks,<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Aptos",sans-serif;mso-fareast-language:EN-US">Ian
<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Aptos",sans-serif;mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<div>
<div style="border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b><span style="font-size:11.0pt">From:</span></b><span style="font-size:11.0pt"> Bruce Morton <<a href="mailto:Bruce.Morton@entrust.com">Bruce.Morton@entrust.com</a>>
<br>
<b>Sent:</b> Monday, October 30, 2023 10:38 AM<br>
<b>To:</b> Dean Coclin <<a href="mailto:dean.coclin@digicert.com">dean.coclin@digicert.com</a>>; Ian McMillan <<a href="mailto:ianmcm@microsoft.com">ianmcm@microsoft.com</a>><br>
<b>Subject:</b> [EXTERNAL] RE: Ballot CSC-21: Signing Service Update<o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><span style="font-size:11.0pt;mso-fareast-language:ZH-CN">Hi Ian,<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;mso-fareast-language:ZH-CN"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;mso-fareast-language:ZH-CN">Just wanted to follow up on getting your re-endorsement.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;mso-fareast-language:ZH-CN"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;mso-fareast-language:ZH-CN"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;mso-fareast-language:ZH-CN">Thanks, Bruce.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;mso-fareast-language:ZH-CN"><o:p> </o:p></span></p>
<div>
<div style="border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b><span style="font-size:11.0pt">From:</span></b><span style="font-size:11.0pt"> Dean Coclin <<a href="mailto:dean.coclin@digicert.com">dean.coclin@digicert.com</a>>
<br>
<b>Sent:</b> Monday, October 23, 2023 3:40 PM<br>
<b>To:</b> Ian McMillan <<a href="mailto:ianmcm@microsoft.com">ianmcm@microsoft.com</a>><br>
<b>Cc:</b> Bruce Morton <<a href="mailto:Bruce.Morton@entrust.com">Bruce.Morton@entrust.com</a>><br>
<b>Subject:</b> [EXTERNAL] RE: Ballot CSC-21: Signing Service Update<o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><span style="font-size:12.0pt;mso-fareast-language:EN-US">Ian,
<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:12.0pt;mso-fareast-language:EN-US">Bruce is out this week but let me know if you want to endorse as he left me instructions to put the ballot out once you endorse.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:12.0pt;mso-fareast-language:EN-US"><br>
Thanks<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:12.0pt;mso-fareast-language:EN-US">Dean<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:12.0pt;mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<div>
<div>
<p class="MsoNormal"><b><span style="font-size:11.0pt;font-family:"Arial",sans-serif;color:#0174C3;mso-fareast-language:EN-US">Dean Coclin
<o:p></o:p></span></b></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Arial",sans-serif;color:#48565E;mso-fareast-language:EN-US">Sr. Director Business Development<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Arial",sans-serif;color:#48565E;mso-fareast-language:EN-US">M 1.781.789.8686<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Arial",sans-serif;color:#48565E;mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;mso-fareast-language:EN-US"><img border="0" width="129" height="37" style="width:1.3416in;height:.3833in" id="Picture_x0020_1" src="cid:image001.jpg@01DA0B33.689DCA60"></span><span style="font-size:11.0pt;font-family:"Arial",sans-serif;color:#48565E;mso-fareast-language:EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;mso-fareast-language:EN-US"><o:p> </o:p></span></p>
</div>
</div>
<p class="MsoNormal"><span style="font-size:12.0pt;mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<div>
<div style="border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b><span style="font-size:11.0pt;mso-fareast-language:ZH-CN">From:</span></b><span style="font-size:11.0pt;mso-fareast-language:ZH-CN"> Cscwg-public <<a href="mailto:cscwg-public-bounces@cabforum.org">cscwg-public-bounces@cabforum.org</a>>
<b>On Behalf Of </b>Bruce Morton via Cscwg-public<br>
<b>Sent:</b> Friday, October 20, 2023 4:27 PM<br>
<b>To:</b> <a href="mailto:cscwg-public@cabforum.org">cscwg-public@cabforum.org</a><br>
<b>Subject:</b> [Cscwg-public] FW: Ballot CSC-21: Signing Service Update<o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><span style="font-size:11.0pt;mso-fareast-language:ZH-CN">The ballot has been updated as indicated below. As soon as we get the proposal re-endorsed, then we will send out version 2 of the ballot.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;mso-fareast-language:ZH-CN"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;mso-fareast-language:ZH-CN"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;mso-fareast-language:ZH-CN">Thanks, Bruce.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;mso-fareast-language:ZH-CN"><o:p> </o:p></span></p>
<div>
<div style="border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b><span style="font-size:11.0pt">From:</span></b><span style="font-size:11.0pt"> Bruce Morton
<br>
<b>Sent:</b> Friday, October 20, 2023 8:55 AM<br>
<b>To:</b> Ian McMillan <<a href="mailto:ianmcm@microsoft.com">ianmcm@microsoft.com</a>>; Tim Hollebeek (<a href="mailto:tim.hollebeek@digicert.com">tim.hollebeek@digicert.com</a>) <<a href="mailto:tim.hollebeek@digicert.com">tim.hollebeek@digicert.com</a>><br>
<b>Cc:</b> Corey Bonnell <<a href="mailto:Corey.Bonnell@digicert.com">Corey.Bonnell@digicert.com</a>>; Dean Coclin <<a href="mailto:dean.coclin@digicert.com">dean.coclin@digicert.com</a>><br>
<b>Subject:</b> FW: Ballot CSC-21: Signing Service Update<o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><span style="font-size:11.0pt;mso-fareast-language:ZH-CN">Hi Ian and Tim,<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;mso-fareast-language:ZH-CN"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;mso-fareast-language:ZH-CN">Based on the comments and our call yesterday, we have update the proposed ballot, see
<a href="https://urldefense.com/v3/__https:/url.avanan.click/v2/___https:/github.com/cabforum/code-signing/compare/93ee9976cdc4e1104952146e3556800459694874..0d5ebf46d712b7922dabec917c3147197dacf216___.YXAzOmRpZ2ljZXJ0OmE6bzpiNTE4NTRkNjRhNWVkNTMyODFiNjBjNjg3ZTI4YjQ1YTo2OjI1YmE6N2RmOTcyMmZiZmNiZmI1NTZmZmNkODdkODViZjU3MTgwY2JhODUzZjc0OTM2MTQ5NmE0NTJiY2MzZDlkNTU4MTpoOkY__;!!FJ-Y8qCqXTj2!e5zbSIlB4vz1o5y5nR4egCi7v3C2hjZtjFROMUVTg1gVyyQOEWtHHSMKssLLLkUk9ylt9aR_9-vzgd9jvIo$" title="Protected by Avanan: https://github.com/cabforum/code-signing/compare/93ee9976cdc4e1104952146e3556800459694874..0d5ebf46d712b7922dabec917c3147197dacf216">
https://github.com/cabforum/code-signing/compare/93ee9976cdc4e1104952146e3556800459694874..0d5ebf46d712b7922dabec917c3147197dacf216</a><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;mso-fareast-language:ZH-CN"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;mso-fareast-language:ZH-CN">The changes are as follows:<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;mso-fareast-language:ZH-CN">Original proposal -
</span><span style="font-size:11.0pt">Signing Service: An organization that generates the Key Pair and securely manages the Private Key associated with a Subscriber's Code Signing Certificate.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">New proposal - Signing Service: An organization that generates the Key Pair and securely manages the Private Key associated with a Code Signing Certificate, on behalf of a Subscriber.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">There were no objections to this change on the call and Martijn also agreed that it addressed his concerns.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">We also discussed helping Signing Service migrate to their audit requirements. This would also help the auditors know when the audit to these requirements would be applicable. Here is the change:</span><span style="font-size:11.0pt;mso-fareast-language:ZH-CN"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;mso-fareast-language:ZH-CN">Original proposal - The Signing Service MUST undergo a conformity assessment audit for compliance with these Requirements performed in accordance with one of the following schemes:<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;mso-fareast-language:ZH-CN">New proposal - For Audit Periods starting after June 30, 2024, the Signing Service MUST undergo a conformity assessment audit for compliance with these Requirements performed in
accordance with one of the following schemes:<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;mso-fareast-language:ZH-CN">My assumption is that the ballot will be approved and go through IPR this year, so the current Signing Services would have 6 months to adjust their practices to the new requirements.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;mso-fareast-language:ZH-CN"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;mso-fareast-language:ZH-CN">Please advise if you approve the changes and I will start the discussion period again.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;mso-fareast-language:ZH-CN"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;mso-fareast-language:ZH-CN"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;mso-fareast-language:ZH-CN">Thanks, Bruce.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;mso-fareast-language:ZH-CN"><o:p> </o:p></span></p>
<div>
<div style="border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b><span style="font-size:11.0pt;mso-fareast-language:ZH-CN">From:</span></b><span style="font-size:11.0pt;mso-fareast-language:ZH-CN"> Cscwg-public <<a href="mailto:cscwg-public-bounces@cabforum.org">cscwg-public-bounces@cabforum.org</a>>
<b>On Behalf Of </b>Bruce Morton via Cscwg-public<br>
<b>Sent:</b> Thursday, October 12, 2023 3:59 PM<br>
<b>To:</b> <a href="mailto:cscwg-public@cabforum.org">cscwg-public@cabforum.org</a><br>
<b>Subject:</b> [EXTERNAL] [Cscwg-public] Ballot CSC-21: Signing Service Update<o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<p style="margin:0in"><b><span style="font-size:13.5pt;font-family:"Arial",sans-serif;color:black">Purpose of the Ballot</span></b><o:p></o:p></p>
<p class="MsoNormal" id="bkmrk-this-ballot-updates-"><span style="font-size:11.0pt">This ballot updates the �$B!H�(BBaseline Requirements for the Issuance and Management of Publicly�$B!>�(BTrusted Code Signing Certificates�$B!H�(B version 3.4 in order to clarify language regarding
Signing Service and signing requests. The main goals of this ballot are to:<o:p></o:p></span></p>
<ol start="1" type="1" id="bkmrk-remove-dependencies-">
<li class="null" style="mso-list:l1 level1 lfo3"><span class="pl-mh"><span style="font-size:11.0pt">Clarify the Signing Service definition and the expected deployment model.</span></span><span style="font-size:11.0pt"><o:p></o:p></span></li><li class="null" style="mso-list:l1 level1 lfo3"><span class="pl-mh"><span style="font-size:11.0pt">Remove requirements for signing request.</span></span><span style="font-size:11.0pt"><o:p></o:p></span></li><li class="null" style="mso-list:l1 level1 lfo3"><span class="pl-mh"><span style="font-size:11.0pt">Change text so Signing Service is not categorized as a Delegated Third Party.</span></span><span style="font-size:11.0pt"><o:p></o:p></span></li><li class="null" style="mso-list:l1 level1 lfo3"><span class="pl-mh"><span style="font-size:11.0pt">Not allow Signing Service to transport Private Key to Subscriber.</span></span><span style="font-size:11.0pt"><o:p></o:p></span></li><li class="null" style="mso-list:l1 level1 lfo3"><span class="pl-mh"><span style="font-size:11.0pt">Ensure Network Security Requirements are applicable to Signing Service.</span></span><span style="font-size:11.0pt"><o:p></o:p></span></li><li class="null" style="mso-list:l1 level1 lfo3"><span class="pl-mh"><span style="font-size:11.0pt">State audit requirements for Signing Service.</span></span><span style="font-size:11.0pt"><o:p></o:p></span></li></ol>
<p class="MsoNormal"><span style="font-size:11.0pt">The following motion has been proposed by Bruce Morton of Entrust and endorsed by Tim Hollebeek of DigiCert and Ian McMillan.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"> <o:p></o:p></span></p>
<p style="margin:0in"><b><span style="font-size:13.5pt;font-family:"Arial",sans-serif;color:#0E101A">MOTION BEGINS</span></b><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:11.0pt"> <o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">This ballot updates the �$B!H�(BBaseline Requirements for the Issuance and Management of Publicly�$B!>�(BTrusted Code Signing Certificates�$B!I�(B ("Code Signing Baseline Requirements") based on version 3.4. MODIFY the Code Signing
Baseline Requirements as specified in the following redline: <a href="https://urldefense.com/v3/__https:/url.avanan.click/v2/___https:/urldefense.com/v3/__https:/github.com/cabforum/code-signing/compare/93ee9976cdc4e1104952146e3556800459694874..701d195fa95fe49e8a02435fc40fb0a018686866__;!!FJ-Y8qCqXTj2!ai_SiHTiSodTE_VWwZi8Z8QT_M2lCkP6nJYlFupqIB2vMo07Rcbx2E0bKw4GyZ1-pOj0h-PvD9Z5okpQ_IY$___.YXAzOmRpZ2ljZXJ0OmE6bzpiNTE4NTRkNjRhNWVkNTMyODFiNjBjNjg3ZTI4YjQ1YTo2OjFhMTI6YzIzOTA4ZGViYmRmMmUyYzlmODY4ZTRlNGVmY2NmZTljZTFhNWI1YTQ4NmExMzNjMjI5ZDY4ODFlN2ExMzZmMDpoOkY__;!!FJ-Y8qCqXTj2!e5zbSIlB4vz1o5y5nR4egCi7v3C2hjZtjFROMUVTg1gVyyQOEWtHHSMKssLLLkUk9ylt9aR_9-vz8Ipl2OY$" title="Protected by Avanan: https://urldefense.com/v3/__https:/github.com/cabforum/code-signing/compare/93ee9976cdc4e1104952146e3556800459694874..701d195fa95fe49e8a02435fc40fb0a018686866__;!!FJ-Y8qCqXTj2!ai_SiHTiSodTE_VWwZi8Z8QT_M2lCkP6nJYlFupqIB2vMo07Rcbx2E0bKw">
https://github.com/cabforum/code-signing/compare/93ee9976cdc4e1104952146e3556800459694874..701d195fa95fe49e8a02435fc40fb0a018686866</a><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"> <o:p></o:p></span></p>
<p style="margin:0in"><b><span style="font-size:13.5pt;font-family:"Arial",sans-serif;color:#0E101A">MOTION ENDS</span></b><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:11.0pt">The procedure for this ballot is as follows:</span> Discussion (7 days)<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoListParagraph" style="margin-left:52.2pt;text-indent:-34.2pt;mso-list:l2 level1 lfo5">
<![if !supportLists]><span style="font-family:Symbol"><span style="mso-list:Ignore">·<span style="font:7.0pt "Times New Roman"">
</span></span></span><![endif]>Start Time: 2023-10-12 20:00 UTC<o:p></o:p></p>
<p class="MsoListParagraph" style="margin-left:52.2pt;text-indent:-34.2pt;mso-list:l2 level1 lfo5">
<![if !supportLists]><span style="font-family:Symbol"><span style="mso-list:Ignore">·<span style="font:7.0pt "Times New Roman"">
</span></span></span><![endif]>End Time: Not before 2023-10-19 20:00 UTC<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Vote for approval (7 days)<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoListParagraph" style="margin-left:52.2pt;text-indent:-34.2pt;mso-list:l2 level1 lfo5">
<![if !supportLists]><span style="font-family:Symbol"><span style="mso-list:Ignore">·<span style="font:7.0pt "Times New Roman"">
</span></span></span><![endif]>Start Time: TBD<o:p></o:p></p>
<p class="MsoListParagraph" style="mso-margin-top-alt:0in;margin-right:0in;margin-bottom:12.0pt;margin-left:52.2pt;text-indent:-34.2pt;mso-list:l2 level1 lfo5">
<![if !supportLists]><span style="font-size:12.0pt;font-family:Symbol"><span style="mso-list:Ignore">·<span style="font:7.0pt "Times New Roman"">
</span></span></span><![endif]>End Time: TBD<span style="font-size:12.0pt;font-family:"MS PGothic",sans-serif"><o:p></o:p></span></p>
</div>
<i>Any email and files/attachments transmitted with it are intended solely for the use of the individual or entity to whom they are addressed. If this message has been sent to you in error, you must not copy, distribute or disclose of the information it contains.
<u>Please notify Entrust immediately and delete the message from your system.</u></i>
</body>
</html>