<!DOCTYPE html>
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
<p><font face="Calibri">+1</font><br>
</p>
<div class="moz-cite-prefix">Il 04/04/2024 04:20, Mohit Kumar via
Cscwg-public ha scritto:<br>
</div>
<blockquote type="cite"
cite="mid:0100018ea6e7fed5-9c74bfdc-c982-4414-8dc1-1f8657dc9a1e-000000@email.amazonses.com">
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<meta name="Generator"
content="Microsoft Word 15 (filtered medium)">
<style>@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}@font-face
{font-family:Aptos;}@font-face
{font-family:Consolas;
panose-1:2 11 6 9 2 2 4 3 2 4;}p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
font-size:10.0pt;
font-family:"Aptos",sans-serif;}a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#467886;
text-decoration:underline;}pre
{mso-style-priority:99;
mso-style-link:"HTML Preformatted Char";
margin:0in;
font-size:10.0pt;
font-family:"Courier New";}p.MsoListParagraph, li.MsoListParagraph, div.MsoListParagraph
{mso-style-priority:34;
margin-top:0in;
margin-right:0in;
margin-bottom:0in;
margin-left:.5in;
font-size:10.0pt;
font-family:"Aptos",sans-serif;}span.HTMLPreformattedChar
{mso-style-name:"HTML Preformatted Char";
mso-style-priority:99;
mso-style-link:"HTML Preformatted";
font-family:Consolas;
mso-ligatures:none;
mso-fareast-language:EN-GB;}span.EmailStyle23
{mso-style-type:personal-reply;
font-family:"Aptos",sans-serif;
color:windowtext;}.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;
mso-ligatures:none;}div.WordSection1
{page:WordSection1;}ol
{margin-bottom:0in;}ul
{margin-bottom:0in;}</style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
<div class="WordSection1">
<p
style="mso-margin-top-alt:0in;margin-right:0in;margin-bottom:0in;margin-left:30.0pt">Hi
Martijn,<o:p></o:p></p>
<p
style="mso-margin-top-alt:0in;margin-right:0in;margin-bottom:0in;margin-left:30.0pt"> <o:p></o:p></p>
<p
style="mso-margin-top-alt:0in;margin-right:0in;margin-bottom:0in;margin-left:30.0pt">Can
I confirm that the proposal to protect private keys of
Subordinate CAs in an offline state is applicable to
only private keys generated for Roots/Subordinate CAs created
after the effective date.<o:p></o:p></p>
<p
style="mso-margin-top-alt:0in;margin-right:0in;margin-bottom:0in;margin-left:30.0pt"> <o:p></o:p></p>
<p
style="mso-margin-top-alt:0in;margin-right:0in;margin-bottom:0in;margin-left:30.0pt">Also,
per my understanding, the scope of the proposal is limited
to only Root/Subordinate CAs issuing Timestamp Certificates
for Code Signing (i.e. with the OID 2.23.140.1.4.2). If yes,
may be it would be better to clarify the same with the
following language update<o:p></o:p></p>
<p
style="mso-margin-top-alt:0in;margin-right:0in;margin-bottom:0in;margin-left:30.0pt"> <o:p></o:p></p>
<p
style="mso-margin-top-alt:0in;margin-right:0in;margin-bottom:0in;margin-left:30.0pt">‘Effective
April 15, 2025, a Timestamp Authority MUST protect Private
Keys associated with its Root CA certificates and Subordinate
CA certificates containing the `id-kp-timeStamping`
KeyPurposeId in the `extKeyUsage` extension (per section
7.1.2.2 g) and that issued Timestamp
Certificates with the policyidentifier 2.23.140.1.4.2<span
style="color:#CD5937">, </span>in a Hardware Crypto Module
conforming to the requirements specified in [Section
6.2.7.1](#6271-private-key-storage-for-CA-keys), maintained in
a High Security Zone and in an offline state or air-gapped
from all other networks.’<o:p></o:p></p>
<p
style="mso-margin-top-alt:0in;margin-right:0in;margin-bottom:0in;margin-left:30.0pt"> <o:p></o:p></p>
<p
style="mso-margin-top-alt:0in;margin-right:0in;margin-bottom:0in;margin-left:30.0pt">Thanks <o:p></o:p></p>
<p
style="mso-margin-top-alt:0in;margin-right:0in;margin-bottom:0in;margin-left:30.0pt">Mohit<o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:11.0pt"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"><o:p> </o:p></span></p>
<div>
<div
style="border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif">From:</span></b><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif">
Cscwg-public <a class="moz-txt-link-rfc2396E" href="mailto:cscwg-public-bounces@cabforum.org"><cscwg-public-bounces@cabforum.org></a> <b>On
Behalf Of </b>Martijn Katerbarg via Cscwg-public<br>
<b>Sent:</b> Tuesday, March 19, 2024 5:04 AM<br>
<b>To:</b> <a class="moz-txt-link-abbreviated" href="mailto:cscwg-public@cabforum.org">cscwg-public@cabforum.org</a>; Dimitris
Zacharopoulos (HARICA) <a class="moz-txt-link-rfc2396E" href="mailto:dzacharo@harica.gr"><dzacharo@harica.gr></a><br>
<b>Subject:</b> Re: [Cscwg-public] Timestamp Certificate
and SubCA updates<o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><span style="font-size:11.0pt">The language
(<a href="https://github.com/cabforum/code-signing/pull/34"
moz-do-not-send="true" class="moz-txt-link-freetext">https://github.com/cabforum/code-signing/pull/34</a>
) has been further updated (<a
href="https://github.com/cabforum/code-signing/pull/34/commits/9288f7ec376b4bbd139dcb596bcb2d1bf9bd7683"
moz-do-not-send="true" class="moz-txt-link-freetext">https://github.com/cabforum/code-signing/pull/34/commits/9288f7ec376b4bbd139dcb596bcb2d1bf9bd7683</a>)
based on the below. <a
id="OWAAM1110A1362D438B4BADD95FD51E9651CD"
href="mailto:dzacharo@harica.gr" moz-do-not-send="true"><span
style="font-family:"Aptos",sans-serif;text-decoration:none">@Dimitris
Zacharopoulos (HARICA)</span></a> I replaced “deleted”
with “destroyed” in your proposal, as I believe it would fit
better in that section.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">Are there
any further comments? If not I will start the official
discussion period in the next few days.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">Regards,<br>
<br>
Martijn<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"><o:p> </o:p></span></p>
<div id="mail-editor-reference-message-container">
<div>
<div
style="border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal" style="margin-bottom:12.0pt"><b><span
style="font-size:12.0pt;color:black">From: </span></b><span
style="font-size:12.0pt;color:black">Cscwg-public
<a class="moz-txt-link-rfc2396E" href="mailto:cscwg-public-bounces@cabforum.org"><cscwg-public-bounces@cabforum.org></a> on behalf of
Martijn Katerbarg via Cscwg-public
<a class="moz-txt-link-rfc2396E" href="mailto:cscwg-public@cabforum.org"><cscwg-public@cabforum.org></a><br>
<b>Date: </b>Monday, 11 March 2024 at 09:51<br>
<b>To: </b>Dimitris Zacharopoulos (HARICA)
<a class="moz-txt-link-rfc2396E" href="mailto:dzacharo@harica.gr"><dzacharo@harica.gr></a>, <a class="moz-txt-link-abbreviated" href="mailto:cscwg-public@cabforum.org">cscwg-public@cabforum.org</a>
<a class="moz-txt-link-rfc2396E" href="mailto:cscwg-public@cabforum.org"><cscwg-public@cabforum.org></a><br>
<b>Subject: </b>Re: [Cscwg-public] Timestamp
Certificate and SubCA updates<o:p></o:p></span></p>
</div>
<div
style="border:solid black 1.0pt;padding:2.0pt 2.0pt 2.0pt 2.0pt">
<p class="MsoNormal"
style="line-height:12.0pt;background:#FAFA03"><span
style="font-family:"Calibri",sans-serif;color:black">CAUTION:
This email originated from outside of the
organization. Do not click links or open attachments
unless you recognize the sender and know the content
is safe.<o:p></o:p></span></p>
</div>
<p class="MsoNormal"><span style="font-size:12.0pt"><o:p> </o:p></span></p>
<div>
<div>
<p class="MsoNormal"><span style="font-size:11.0pt">Works
for me on both fronts. I’ll leave the discussion
open for a bit so others can add on.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"> <o:p></o:p></span></p>
<div id="mail-editor-reference-message-container">
<div>
<div
style="border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal" style="margin-bottom:12.0pt"><b><span
style="font-size:11.0pt;color:black">From: </span></b><span
style="font-size:11.0pt;color:black">Dimitris
Zacharopoulos (HARICA)
<a class="moz-txt-link-rfc2396E" href="mailto:dzacharo@harica.gr"><dzacharo@harica.gr></a><br>
<b>Date: </b>Monday, 11 March 2024 at 09:48<br>
<b>To: </b>Martijn Katerbarg
<a class="moz-txt-link-rfc2396E" href="mailto:martijn.katerbarg@sectigo.com"><martijn.katerbarg@sectigo.com></a>,
<a class="moz-txt-link-abbreviated" href="mailto:cscwg-public@cabforum.org">cscwg-public@cabforum.org</a>
<a class="moz-txt-link-rfc2396E" href="mailto:cscwg-public@cabforum.org"><cscwg-public@cabforum.org></a><br>
<b>Subject: </b>Re: [Cscwg-public] Timestamp
Certificate and SubCA updates</span><span
style="font-size:11.0pt"><o:p></o:p></span></p>
</div>
<div
style="border:solid black 1.0pt;padding:2.0pt 2.0pt 2.0pt 2.0pt">
<p class="MsoNormal"
style="line-height:12.0pt;background:#FAFA03"><span
style="font-family:"Calibri",sans-serif;color:black">CAUTION:
This email originated from outside of the
organization. Do not click links or open
attachments unless you recognize the sender
and know the content is safe.</span><span
style="font-size:11.0pt"><o:p></o:p></span></p>
</div>
<p class="MsoNormal"><span style="font-size:12.0pt"> </span><span
style="font-size:11.0pt"><o:p></o:p></span></p>
<div>
<p class="MsoNormal" style="margin-bottom:12.0pt"><span
style="font-size:11.0pt"> <o:p></o:p></span></p>
<div>
<p class="MsoNormal"><span
style="font-size:11.0pt">On 11/3/2024 10:32
π.μ., Martijn Katerbarg wrote:<o:p></o:p></span></p>
</div>
<blockquote
style="margin-top:5.0pt;margin-bottom:5.0pt">
<div>
<p class="MsoNormal"><span
style="font-size:11.0pt">Thanks Dimitris,
I’ve reviewed and accepted the
suggestions. <o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt"> <o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt">> witnessed by
members of two different Trusted Roles
(not by two Trusted Role Members, i.e. you
can't use two persons of the same Trusted
Role).<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt"> <o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt">TBH, I’m not sure
why it couldn’t be two persons of the same
Trusted Role?<o:p></o:p></span></p>
</div>
</blockquote>
<p class="MsoNormal" style="margin-bottom:12.0pt"><span
style="font-size:12.0pt"><br>
I'm not a native English speaker but I think
"Roles" (plural) points to the different types
of Roles, while "Trusted Role members" would
point to different Members in any Trusted
Role. If the intent is to have a 4-eye
principle control from any Trusted Role, we
can make it clearer by using the "Trusted Role
members" phrase.</span><span
style="font-size:11.0pt"><o:p></o:p></span></p>
<blockquote
style="margin-top:5.0pt;margin-bottom:5.0pt">
<div>
<p class="MsoNormal"><span
style="font-size:11.0pt"> <o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt">> In general,
a "key destruction" ceremony includes the
deletion of all copies of the key,
including copies that reside in backups.
If we require a "key destruction"
ceremony, the "restore key" case is
nonsensical. We probably need to work on
this some more so that we all have the
same understanding and expectations.<o:p></o:p></span></p>
<p class="MsoNormal"
style="margin-bottom:12.0pt"><span
style="font-size:11.0pt">> It's ok to
keep the keys in backups but if you happen
to restore them in an HSM, you must not
use them to sign anything. If a CA/TSA can
also "destroy" the key, meaning that all
copies of that private key can be
unequivocally/securely deleted (i.e.
without a way to recover the key),
including any instance of the key as part
of a backup, the better!<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt">Agreed in general
regarding the Key Destruction ceremony.
However having to also destroy the backup
of the key, and do this again for any next
key every 18 months, can be a lengthy
procedure, specially if backups are stored
securely and offline in different places
around the world. That’s why for this case
we specifically call out that backups
don’t need to be destroyed. <o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt"> <o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt">But your point on
an HSM restoring an entire partition and
that violating the requirement, is valid.
<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt"> <o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt">For reference,
the current proposed language is:<o:p></o:p></span></p>
<p class="MsoNormal"><i><span
style="font-size:11.0pt">The CA MAY
maintain existing backup sets containing
the Private Key corresponding to a
Timestamp Certificate. The CA MUST NOT
restore the Private Key corresponding to
a Timestamp Certificate contained within
the backup if the Timestamp Certificate
was issued more than 15 months prior to
restoration of the backup.</span></i><span
style="font-size:11.0pt"><o:p></o:p></span></p>
<p class="MsoNormal"><i><span
style="font-size:11.0pt"> </span></i><span
style="font-size:11.0pt"><o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt">What about we
once more use the NSR language and state:<o:p></o:p></span></p>
<p class="MsoNormal"><i><span
style="font-size:11.0pt">The CA MAY
maintain existing backup sets containing
the Private Key corresponding to a
Timestamp Certificate. The CA SHOULD NOT
restore the Private Key corresponding to
a Timestamp Certificate contained within
the backup if the Timestamp Certificate
was issued more than 15 months prior to
restoration of the backup. If the CA
does restore such a Private Key, the CA
SHALL only restore the Private Key in a
suitable HSM while it’s maintained in a
High Security Zone and in an offline
state or air-gapped from all other
networks and perform a new key
destruction ceremony prior to the HSM
being brought to an online state.</span></i><span
style="font-size:11.0pt"><o:p></o:p></span></p>
<p class="MsoNormal"><i><span
style="font-size:11.0pt"> </span></i><span
style="font-size:11.0pt"><o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt">Thoughts? <o:p></o:p></span></p>
</div>
</blockquote>
<p class="MsoNormal" style="margin-bottom:12.0pt"><span
style="font-size:12.0pt"><br>
If we want to allow the existence of a key in
a backup, IMHO we should avoid using the "key
destruction" language. How about the
following:<br>
<br>
Modify</span><span style="font-size:11.0pt"><o:p></o:p></span></p>
<blockquote
style="margin-top:5.0pt;margin-bottom:5.0pt">
<p class="MsoNormal"><i><span
style="font-size:12.0pt">For Timestamp
Certificates issued on or after June 1,
2024, the CA SHALL log the removal of the
Private Key from the Hardware Crypto
Module through means of a key destruction
ceremony performed by the CA and witnessed
and signed-off by at least two Trusted
Roles.</span></i><span
style="font-size:11.0pt"><o:p></o:p></span></p>
</blockquote>
<p class="MsoNormal" style="margin-bottom:12.0pt"><span
style="font-size:12.0pt"><br>
to</span><span style="font-size:11.0pt"><o:p></o:p></span></p>
<blockquote
style="margin-top:5.0pt;margin-bottom:5.0pt">
<p class="MsoNormal"><i><span
style="font-size:12.0pt">For Timestamp
Certificates issued on or after June 1,
2024, the CA SHALL log the removal of the
Private Key from the Hardware Crypto
Module through means of a key <span
style="color:blue">deletion </span>ceremony
performed by the CA and witnessed and
signed-off by at least two <span
style="color:blue">Trusted Role members</span>.
<span style="color:blue">The CA MAY also
perform a key destruction ceremony, </span></span></i><span
style="font-size:12.0pt;color:blue">meaning
that all copies of that private key are
unequivocally/securely deleted (i.e. without
a way to recover the key), including any
instance of the key as part of a backup, to
satisfy this requirement</span><span
style="font-size:12.0pt">.</span><span
style="font-size:11.0pt"><o:p></o:p></span></p>
</blockquote>
<p class="MsoNormal" style="margin-bottom:12.0pt"><span
style="font-size:12.0pt"><br>
Thanks,<br>
Dimitris.</span><span style="font-size:11.0pt"><o:p></o:p></span></p>
<blockquote
style="margin-top:5.0pt;margin-bottom:5.0pt">
<div>
<p class="MsoNormal"><i><span
style="font-size:11.0pt"> </span></i><span
style="font-size:11.0pt"><o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt">As a side-note, I
wonder if there’s a task for the NSWG (or
Definitions WG once it’s setup) to define
terms for online and offline HSMs<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt"> <o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt"> <o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt"> <o:p></o:p></span></p>
<div
id="mail-editor-reference-message-container">
<div>
<div
style="border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"
style="margin-bottom:12.0pt"><b><span
style="font-size:11.0pt;color:black">From: </span></b><span
style="font-size:11.0pt;color:black">Cscwg-public
<a
href="mailto:cscwg-public-bounces@cabforum.org" moz-do-not-send="true"><cscwg-public-bounces@cabforum.org></a>
on behalf of Dimitris Zacharopoulos
(HARICA) via Cscwg-public <a
href="mailto:cscwg-public@cabforum.org" moz-do-not-send="true"><cscwg-public@cabforum.org></a><br>
<b>Date: </b>Sunday, 10 March 2024
at 10:30<br>
<b>To: </b><a
href="mailto:cscwg-public@cabforum.org" moz-do-not-send="true"
class="moz-txt-link-freetext">cscwg-public@cabforum.org</a>
<a
href="mailto:cscwg-public@cabforum.org" moz-do-not-send="true"><cscwg-public@cabforum.org></a><br>
<b>Subject: </b>Re: [Cscwg-public]
Timestamp Certificate and SubCA
updates</span><span
style="font-size:11.0pt"><o:p></o:p></span></p>
</div>
<div
style="border:solid black 1.0pt;padding:2.0pt 2.0pt 2.0pt 2.0pt">
<p class="MsoNormal"
style="line-height:12.0pt;background:#FAFA03"><span
style="font-family:"Calibri",sans-serif;color:black">CAUTION:
This email originated from outside
of the organization. Do not click
links or open attachments unless you
recognize the sender and know the
content is safe.</span><span
style="font-size:11.0pt"><o:p></o:p></span></p>
</div>
<p class="MsoNormal"><span
style="font-size:12.0pt"> </span><span
style="font-size:11.0pt"><o:p></o:p></span></p>
<div>
<p class="MsoNormal"
style="margin-bottom:12.0pt"><span
style="font-size:11.0pt">Hi Martijn,<br>
<br>
Two suggestions submitted on GitHub.<br>
<br>
Regarding the prohibition of
restoring a private key of a
Timestamp Certificate, I'm not sure
how universal this can be because
some HSMs restore an entire
slot/partition, which might contain
Private Keys associated with
obsolete Timestamp Certificates. As
the ballot is written, such an
action would be a violation.<br>
<br>
In general, a "key destruction"
ceremony includes the deletion of
all copies of the key, including
copies that reside in backups. If we
require a "key destruction"
ceremony, the "restore key" case is
nonsensical. We probably need to
work on this some more so that we
all have the same understanding and
expectations.<br>
<br>
Let me restate the intent of this
requirement as discussed all this
time, and please correct me if I'm
wrong.<br>
<br>
IMO, the goal is to put the keys
associated with Timestamp
Certificates out of use, 15 months
after the <i>notBefore </i>of the
Timestamp Certificate. <br>
<br>
In order to achieve some level of
assurance for this action, the
proposal is to delete the keys from
the HSM 18 months after the <i>notBefore
</i>of the Timestamp Certificate, in
an audited way, witnessed by members
of two different Trusted Roles (not
by two Trusted Role Members, i.e.
you can't use two persons of the
same Trusted Role). <br>
<br>
It's ok to keep the keys in backups
but if you happen to restore them in
an HSM, you must not use them to
sign anything. If a CA/TSA can also
"destroy" the key, meaning that all
copies of that private key can be
unequivocally/securely deleted (i.e.
without a way to recover the key),
including any instance of the key as
part of a backup, the better!<br>
<br>
Thoughts?<br>
<br>
Dimitris.<o:p></o:p></span></p>
<div>
<p class="MsoNormal"><span
style="font-size:11.0pt">On
6/3/2024 2:07 μ.μ., Martijn
Katerbarg via Cscwg-public wrote:<o:p></o:p></span></p>
</div>
<blockquote
style="margin-top:5.0pt;margin-bottom:5.0pt">
<div>
<p class="MsoNormal"><span
style="font-size:11.0pt">All,</span><span
style="font-size:11.0pt"><o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt"> </span><span
style="font-size:11.0pt"><o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt">As
discussed last week, I’d send
out the draft language for this
ballot once more before starting
the discussion period. The
latest version can be found in <a
href="https://github.com/cabforum/code-signing/pull/34"
moz-do-not-send="true"
class="moz-txt-link-freetext">https://github.com/cabforum/code-signing/pull/34</a></span><span
style="font-size:11.0pt"><o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt"> </span><span
style="font-size:11.0pt"><o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt">I’ve
made changes this morning to add
3 effective dates, these are:</span><span
style="font-size:11.0pt"><o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt"> </span><span
style="font-size:11.0pt"><o:p></o:p></span></p>
<ul style="margin-top:0in"
type="disc">
<li class="MsoListParagraph"
style="margin-left:0in;mso-list:l5 level1 lfo1"><span
style="font-size:11.0pt">For
the removal of private keys
associated with timestamp
certificates, effective June 1<sup>st</sup>,
2024, CAs will need to
properly log the removal of
said key. </span><span
style="font-size:11.0pt"><o:p></o:p></span></li>
</ul>
<ul style="margin-top:0in"
type="disc">
<ul style="margin-top:0in"
type="circle">
<li class="MsoListParagraph"
style="margin-left:0in;mso-list:l0 level2 lfo2"><span
style="font-size:11.0pt">While
I expect CAs to already
properly log this for audit
purposes even now, there may
be exceptions for when this
has not been done, for
example a private key or
timestamp certificate that
was signed maybe 20 years
ago. This language is added
to avoid any confusion on
from what point there needs
to be an audit trail</span><span
style="font-size:11.0pt"><o:p></o:p></span></li>
</ul>
</ul>
<ul style="margin-top:0in"
type="disc">
<li class="MsoListParagraph"
style="margin-left:0in;mso-list:l4 level1 lfo3"><span
style="font-size:11.0pt">Effective
April 15, 2025, private keys
associated with SubCAs
containing the “Time Stamping”
EKU will need to be placed in
offline HSMs.</span><span
style="font-size:11.0pt"><o:p></o:p></span></li>
</ul>
<ul style="margin-top:0in"
type="disc">
<ul style="margin-top:0in"
type="circle">
<li class="MsoListParagraph"
style="margin-left:0in;mso-list:l2 level2 lfo4"><span
style="font-size:11.0pt">I
believe a roughly one year
effective date is
appropriate here, since CAs
may need to move keys from
one HSM to another.</span><span
style="font-size:11.0pt"><o:p></o:p></span></li>
</ul>
</ul>
<ul style="margin-top:0in"
type="disc">
<li class="MsoListParagraph"
style="margin-left:0in;mso-list:l1 level1 lfo5"><span
style="font-size:11.0pt">For
private keys associated with
timestamp certificates that
were issued for greater than
15 months, CAs will need to
remove the private keys 18
months after certificate
issuance, starting April 15,
2025.</span><span
style="font-size:11.0pt"><o:p></o:p></span></li>
</ul>
<ul style="margin-top:0in"
type="disc">
<ul style="margin-top:0in"
type="circle">
<li class="MsoListParagraph"
style="margin-left:0in;mso-list:l3 level2 lfo6"><span
style="font-size:11.0pt">Likewise,
I feel like anything
involving HSM process
changes, should have a
longer effective date, and
it makes sense to align this
with the effective date
above.</span><span
style="font-size:11.0pt"><o:p></o:p></span></li>
</ul>
</ul>
<p class="MsoNormal"><span
style="font-size:11.0pt"> </span><span
style="font-size:11.0pt"><o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt">I’ll
start a ballot on this early
next week, unless there is
concern with the above. </span><span
style="font-size:11.0pt"><o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt"> </span><span
style="font-size:11.0pt"><o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt">Regards,<br>
<br>
Martijn</span><span
style="font-size:11.0pt"><o:p></o:p></span></p>
</div>
<p class="MsoNormal"
style="margin-bottom:12.0pt"><span
style="font-size:11.0pt"> <o:p></o:p></span></p>
<pre>_______________________________________________<o:p></o:p></pre>
<pre>Cscwg-public mailing list<o:p></o:p></pre>
<pre><a
href="mailto:Cscwg-public@cabforum.org" moz-do-not-send="true"
class="moz-txt-link-freetext">Cscwg-public@cabforum.org</a><o:p></o:p></pre>
<pre><a
href="https://lists.cabforum.org/mailman/listinfo/cscwg-public"
moz-do-not-send="true"
class="moz-txt-link-freetext">https://lists.cabforum.org/mailman/listinfo/cscwg-public</a><o:p></o:p></pre>
</blockquote>
<p class="MsoNormal"><span
style="font-size:12.0pt"> </span><span
style="font-size:11.0pt"><o:p></o:p></span></p>
</div>
</div>
</div>
</div>
</blockquote>
<p class="MsoNormal"><span
style="font-size:12.0pt"> </span><span
style="font-size:11.0pt"><o:p></o:p></span></p>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
<br>
<fieldset class="moz-mime-attachment-header"></fieldset>
<pre class="moz-quote-pre" wrap="">_______________________________________________
Cscwg-public mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Cscwg-public@cabforum.org">Cscwg-public@cabforum.org</a>
<a class="moz-txt-link-freetext" href="https://lists.cabforum.org/mailman/listinfo/cscwg-public">https://lists.cabforum.org/mailman/listinfo/cscwg-public</a>
</pre>
</blockquote>
</body>
</html>