<!DOCTYPE html>
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
<p><font face="Calibri">I also agree with the proposal, but I am not
clear where does this "magic number" of 72 (months) come from...</font></p>
<p><font face="Calibri">Adriano</font></p>
<p><font face="Calibri"><br>
</font></p>
<div class="moz-cite-prefix">Il 04/04/2024 20:59, Martijn Katerbarg
via Cscwg-public ha scritto:<br>
</div>
<blockquote type="cite"
cite="mid:0100018eaa7b6d69-e9ea4d7e-77d0-4dc8-aecd-677a3d6104d6-000000@email.amazonses.com">
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<meta name="Generator"
content="Microsoft Word 15 (filtered medium)">
<style>@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}@font-face
{font-family:Aptos;
panose-1:2 11 0 4 2 2 2 2 2 4;}@font-face
{font-family:Consolas;
panose-1:2 11 6 9 2 2 4 3 2 4;}p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
font-size:10.0pt;
font-family:"Aptos",sans-serif;}a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#467886;
text-decoration:underline;}pre
{mso-style-priority:99;
mso-style-link:"HTML Preformatted Char";
margin:0cm;
font-size:10.0pt;
font-family:"Courier New";}p.MsoListParagraph, li.MsoListParagraph, div.MsoListParagraph
{mso-style-priority:34;
margin-top:0cm;
margin-right:0cm;
margin-bottom:0cm;
margin-left:36.0pt;
font-size:10.0pt;
font-family:"Aptos",sans-serif;}span.HTMLPreformattedChar
{mso-style-name:"HTML Preformatted Char";
mso-style-priority:99;
mso-style-link:"HTML Preformatted";
font-family:Consolas;
mso-ligatures:none;
mso-fareast-language:EN-GB;}span.EmailStyle26
{mso-style-type:personal-reply;
font-family:"Aptos",sans-serif;
color:windowtext;}.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;
mso-ligatures:none;}div.WordSection1
{page:WordSection1;}ol
{margin-bottom:0cm;}ul
{margin-bottom:0cm;}</style>
<div class="WordSection1">
<p class="MsoNormal"><span
style="font-size:11.0pt;mso-fareast-language:EN-US">Hi Ian,<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;mso-fareast-language:EN-US"><br>
I like that proposal. Perhaps a minor nit is that I’d
suggest we replace “new” with “newly issued Subordinate CA
certificates after that date with a validity…”.<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;mso-fareast-language:EN-US">I’ll
leave this open for discussion a few more days, and restart
the discussion period sometime next week, unless there is
further feedback.<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;mso-fareast-language:EN-US">Regards,<br>
<br>
Martijn<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<div id="mail-editor-reference-message-container">
<div>
<div
style="border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0cm 0cm 0cm">
<p class="MsoNormal" style="margin-bottom:12.0pt"><b><span
style="font-size:12.0pt;color:black" lang="EN-US">From:
</span></b><span style="font-size:12.0pt;color:black"
lang="EN-US">Ian McMillan <a class="moz-txt-link-rfc2396E" href="mailto:ianmcm@microsoft.com"><ianmcm@microsoft.com></a><br>
<b>Date: </b>Thursday, 4 April 2024 at 19:54<br>
<b>To: </b>Martijn Katerbarg
<a class="moz-txt-link-rfc2396E" href="mailto:martijn.katerbarg@sectigo.com"><martijn.katerbarg@sectigo.com></a>,
<a class="moz-txt-link-abbreviated" href="mailto:cscwg-public@cabforum.org">cscwg-public@cabforum.org</a>
<a class="moz-txt-link-rfc2396E" href="mailto:cscwg-public@cabforum.org"><cscwg-public@cabforum.org></a>, Mohit Kumar
<a class="moz-txt-link-rfc2396E" href="mailto:mohit.kumar@globalsign.com"><mohit.kumar@globalsign.com></a><br>
<b>Subject: </b>RE: [Cscwg-public] Timestamp
Certificate and SubCA updates<o:p></o:p></span></p>
</div>
<div
style="border:solid black 1.0pt;padding:2.0pt 2.0pt 2.0pt 2.0pt">
<p class="MsoNormal"
style="line-height:12.0pt;background:#FAFA03"><span
style="font-family:"Calibri",sans-serif;color:black"
lang="EN-US">CAUTION: This email originated from
outside of the organization. Do not click links or
open attachments unless you recognize the sender and
know the content is safe.<o:p></o:p></span></p>
</div>
<p class="MsoNormal"><span style="font-size:12.0pt"
lang="EN-US"><o:p> </o:p></span></p>
<div>
<div>
<p class="MsoNormal"><span style="font-size:11.0pt"
lang="EN-US">Hi Martijn and all,</span><span
lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"
lang="EN-US"> </span><span lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"
lang="EN-US">Thinking more about this requirement
and the way folks are operating today and I can see
with this requirement CA may be constrained when
they encounter a need for greater agility to scale
out. I’d like to propose a means to keep issuing CAs
for time stamping end-entity certificates online
when they are shorter-lived certificates (less than
72 months in validity). I agree that we need wording
to say existing CAs are not required to adhere to
these clarified requirements, but all new subCAs
must meet the requirements. Here is my proposal…</span><span
lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"
lang="EN-US"> </span><span lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"
lang="EN-US">“‘Effective April 15, 2025, a Timestamp
Authority MUST protect all Private Keys associated
with its Root CA certificates and <span
style="color:red">new</span> Subordinate CA
certificates <span style="color:red">with a
validity period of greater than 72 months</span>
containing the `id-kp-timeStamping` KeyPurposeId in
the `extKeyUsage` extension (per section 7.1.2.2 g)
and that issued Timestamp Certificates with the
policyidentifier 2.23.140.1.4.2, in a Hardware
Crypto Module conforming to the requirements
specified in [Section
6.2.7.1](#6271-private-key-storage-for-CA-keys),
maintained in a High Security Zone and in an offline
state or air-gapped from all other networks.’</span><span
lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"
lang="EN-US"> </span><span lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"
lang="EN-US">What my intent for this to mean is that
all new subCAs issuing time stamp certificates will
fall into two buckets….</span><span lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"
lang="EN-US"> </span><span lang="EN-US"><o:p></o:p></span></p>
<ul style="margin-top:0cm" type="disc">
<li class="MsoListParagraph"
style="margin-left:0cm;mso-list:l1 level1 lfo1"><span
style="font-size:11.0pt" lang="EN-US">SubCA
Certificate validity greater than 72 months
MUST/SHALL be secured offline</span><span
lang="EN-US"><o:p></o:p></span></li>
<li class="MsoListParagraph"
style="margin-left:0cm;mso-list:l1 level1 lfo1"><span
style="font-size:11.0pt" lang="EN-US">SubCA
Certificate validity less than 72 months MAY be
secured online (or ‘SHOULD be secured offline’)</span><span
lang="EN-US"><o:p></o:p></span></li>
</ul>
<p class="MsoNormal"><span style="font-size:11.0pt"
lang="EN-US"> </span><span lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"
lang="EN-US">This is similar to a policy we’ve
operated under internally with the risk of online
issuing CAs where we need greater agility to scale
out as the business needs for certificate
issuance/fulfillment have higher volumes and latency
requirements that offline CAs just cannot
effectively meet. </span><span lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"
lang="EN-US"> </span><span lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"
lang="EN-US">Thanks,<br>
Ian </span><span lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"
lang="EN-US"> </span><span lang="EN-US"><o:p></o:p></span></p>
<div>
<div
style="border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0cm 0cm 0cm">
<p class="MsoNormal"><b><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif"
lang="EN-US">From:</span></b><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif"
lang="EN-US"> Cscwg-public
<a class="moz-txt-link-rfc2396E" href="mailto:cscwg-public-bounces@cabforum.org"><cscwg-public-bounces@cabforum.org></a> <b>On
Behalf Of </b>Martijn Katerbarg via
Cscwg-public<br>
<b>Sent:</b> Thursday, April 4, 2024 6:07 AM<br>
<b>To:</b> Mohit Kumar
<a class="moz-txt-link-rfc2396E" href="mailto:mohit.kumar@globalsign.com"><mohit.kumar@globalsign.com></a>;
<a class="moz-txt-link-abbreviated" href="mailto:cscwg-public@cabforum.org">cscwg-public@cabforum.org</a><br>
<b>Subject:</b> [EXTERNAL] Re: [Cscwg-public]
Timestamp Certificate and SubCA updates</span><span
lang="EN-US"><o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><span lang="EN-US"> <o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"
lang="EN-US">Hi Mohit,</span><span lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"
lang="EN-US"> </span><span lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"
lang="EN-US">></span><span lang="EN-US"> </span><span
style="font-size:11.0pt" lang="EN-US">Can I confirm
that the proposal to protect private keys of
Subordinate CAs in an offline state is applicable to
only private keys generated for Roots/Subordinate
CAs created after the effective date.</span><span
lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"
lang="EN-US"> </span><span lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"
lang="EN-US">You’re touching on a good point here.
The way the requirement is written, can be
interpreted as such that the CA would need to do
this for existing SubCAs as well. I’m leaving out
Root CAs here, since these even now, already are
required to be in an offline state.</span><span
lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"
lang="EN-US"> </span><span lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"
lang="EN-US">But, making this a requirement for
existing SubCAs may be an issue… while CAs may be
able to migrate keys to an offline HSM, that’s not
always a given. If that’s not an option, then key
destruction would also not be an option, cause even
if the CA wouldn’t use the SubCA is issue new
timestamp certificates anymore, they would still
need use the key for signing CRLs. </span><span
lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"
lang="EN-US"> </span><span lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"
lang="EN-US">I think it makes sense to make the
requirement to be for any SubCA still used for the
issuance of timestamp certificates going forward. If
there’s no objection to that approach, I can update
the ballot. </span><span lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"
lang="EN-US"><br>
(I won’t be able to make todays call, but please
feel free to discuss and let me know the outcome)</span><span
lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"
lang="EN-US"> </span><span lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"
lang="EN-US">></span><span lang="EN-US"> </span><span
style="font-size:11.0pt" lang="EN-US">Also, per my
understanding, the scope of the proposal is limited
to only Root/Subordinate CAs issuing Timestamp
Certificates for Code Signing (i.e. with the OID
2.23.140.1.4.2). If yes, may be it would be better
to clarify the same with the following language
update</span><span lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"
lang="EN-US"> </span><span lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"
lang="EN-US">Correct. I would expect Section 1.2
already makes clear that only TS certificates with
this OID, assert compliance with the CSBRs. </span><span
lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"
lang="EN-US"> </span><span lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"
lang="EN-US">As far from a root store standpoint, it
seems the the MS Root store policy requires the
Policy OID to be included for TLS and Non-EV code
signing, but there is no mentioning there about
Timestamping certificates specifically.</span><span
lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"
lang="EN-US"> </span><span lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"
lang="EN-US">Regards,<br>
<br>
Martijn</span><span lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"
lang="EN-US"> </span><span lang="EN-US"><o:p></o:p></span></p>
<div id="mail-editor-reference-message-container">
<div>
<div
style="border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0cm 0cm 0cm">
<p class="MsoNormal" style="margin-bottom:12.0pt"><b><span
style="font-size:12.0pt;color:black"
lang="EN-US">From: </span></b><span
style="font-size:12.0pt;color:black"
lang="EN-US">Mohit Kumar <</span><span
lang="EN-US"><a
href="mailto:mohit.kumar@globalsign.com"
moz-do-not-send="true"><span
style="font-size:12.0pt">mohit.kumar@globalsign.com</span></a></span><span
style="font-size:12.0pt;color:black"
lang="EN-US">><br>
<b>Date: </b>Thursday, 4 April 2024 at 04:19<br>
<b>To: </b>Martijn Katerbarg <</span><span
lang="EN-US"><a
href="mailto:martijn.katerbarg@sectigo.com"
moz-do-not-send="true"><span
style="font-size:12.0pt">martijn.katerbarg@sectigo.com</span></a></span><span
style="font-size:12.0pt;color:black"
lang="EN-US">>, </span><span lang="EN-US"><a
href="mailto:cscwg-public@cabforum.org"
moz-do-not-send="true"><span
style="font-size:12.0pt">cscwg-public@cabforum.org</span></a></span><span
style="font-size:12.0pt;color:black"
lang="EN-US"> <</span><span lang="EN-US"><a
href="mailto:cscwg-public@cabforum.org"
moz-do-not-send="true"><span
style="font-size:12.0pt">cscwg-public@cabforum.org</span></a></span><span
style="font-size:12.0pt;color:black"
lang="EN-US">><br>
<b>Subject: </b>RE: [Cscwg-public] Timestamp
Certificate and SubCA updates</span><span
lang="EN-US"><o:p></o:p></span></p>
</div>
<p
style="mso-margin-top-alt:5.0pt;margin-right:0cm;margin-bottom:0cm;margin-left:30.0pt"><span
lang="EN-US">Hi Martijn,<o:p></o:p></span></p>
<p
style="mso-margin-top-alt:5.0pt;margin-right:0cm;margin-bottom:0cm;margin-left:30.0pt"><span
lang="EN-US"> <o:p></o:p></span></p>
<p
style="mso-margin-top-alt:5.0pt;margin-right:0cm;margin-bottom:0cm;margin-left:30.0pt"><span
lang="EN-US">Can I confirm that the proposal to
protect private keys of Subordinate CAs in an
offline state is applicable to only private
keys generated for Roots/Subordinate CAs created
after the effective date.<o:p></o:p></span></p>
<p
style="mso-margin-top-alt:5.0pt;margin-right:0cm;margin-bottom:0cm;margin-left:30.0pt"><span
lang="EN-US"> <o:p></o:p></span></p>
<p
style="mso-margin-top-alt:5.0pt;margin-right:0cm;margin-bottom:0cm;margin-left:30.0pt"><span
lang="EN-US">Also, per my understanding, the
scope of the proposal is limited to only
Root/Subordinate CAs issuing Timestamp
Certificates for Code Signing (i.e. with the
OID 2.23.140.1.4.2). If yes, may be it would be
better to clarify the same with the following
language update<o:p></o:p></span></p>
<p
style="mso-margin-top-alt:5.0pt;margin-right:0cm;margin-bottom:0cm;margin-left:30.0pt"><span
lang="EN-US"> <o:p></o:p></span></p>
<p
style="mso-margin-top-alt:5.0pt;margin-right:0cm;margin-bottom:0cm;margin-left:30.0pt"><span
lang="EN-US">‘Effective April 15, 2025, a
Timestamp Authority MUST protect Private Keys
associated with its Root CA certificates and
Subordinate CA certificates containing the
`id-kp-timeStamping` KeyPurposeId in the
`extKeyUsage` extension (per section 7.1.2.2 g)
and that issued Timestamp
Certificates with the policyidentifier 2.23.140.1.4.2<span
style="color:#CD5937">, </span>in a Hardware
Crypto Module conforming to the requirements
specified in [Section
6.2.7.1](#6271-private-key-storage-for-CA-keys),
maintained in a High Security Zone and in an
offline state or air-gapped from all other
networks.’<o:p></o:p></span></p>
<p
style="mso-margin-top-alt:5.0pt;margin-right:0cm;margin-bottom:0cm;margin-left:30.0pt"><span
lang="EN-US"> <o:p></o:p></span></p>
<p
style="mso-margin-top-alt:5.0pt;margin-right:0cm;margin-bottom:0cm;margin-left:30.0pt"><span
lang="EN-US">Thanks <o:p></o:p></span></p>
<p
style="mso-margin-top-alt:5.0pt;margin-right:0cm;margin-bottom:0cm;margin-left:30.0pt"><span
lang="EN-US">Mohit<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"
lang="EN-US"> </span><span lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"
lang="EN-US"> </span><span lang="EN-US"><o:p></o:p></span></p>
<div>
<div
style="border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0cm 0cm 0cm">
<p class="MsoNormal"><b><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif"
lang="EN-US">From:</span></b><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif"
lang="EN-US"> Cscwg-public <</span><span
lang="EN-US"><a
href="mailto:cscwg-public-bounces@cabforum.org" moz-do-not-send="true"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif">cscwg-public-bounces@cabforum.org</span></a></span><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif"
lang="EN-US">> <b>On Behalf Of </b>Martijn
Katerbarg via Cscwg-public<br>
<b>Sent:</b> Tuesday, March 19, 2024 5:04 AM<br>
<b>To:</b> </span><span lang="EN-US"><a
href="mailto:cscwg-public@cabforum.org"
moz-do-not-send="true"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif">cscwg-public@cabforum.org</span></a></span><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif"
lang="EN-US">; Dimitris Zacharopoulos
(HARICA) <</span><span lang="EN-US"><a
href="mailto:dzacharo@harica.gr"
moz-do-not-send="true"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif">dzacharo@harica.gr</span></a></span><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif"
lang="EN-US">><br>
<b>Subject:</b> Re: [Cscwg-public] Timestamp
Certificate and SubCA updates</span><span
lang="EN-US"><o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><span lang="EN-US"> <o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"
lang="EN-US">The language (</span><span
lang="EN-US"><a
href="https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fcabforum%2Fcode-signing%2Fpull%2F34&data=05%7C02%7Cmartijn.katerbarg%40sectigo.com%7C6b3466de38b944c4e95508dc54d04b7f%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C638478500818433702%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=bvH%2B3sXZ2FajBydG%2BKx%2FPq2IGaDyaMUBjpE%2FI5tOw3A%3D&reserved=0"
moz-do-not-send="true"><span
style="font-size:11.0pt">https://github.com/cabforum/code-signing/pull/34</span></a></span><span
style="font-size:11.0pt" lang="EN-US"> ) has
been further updated (</span><span lang="EN-US"><a
href="https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fcabforum%2Fcode-signing%2Fpull%2F34%2Fcommits%2F9288f7ec376b4bbd139dcb596bcb2d1bf9bd7683&data=05%7C02%7Cmartijn.katerbarg%40sectigo.com%7C6b3466de38b944c4e95508dc54d04b7f%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C638478500818443934%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=gijk9MMkc%2FBgJ1ixouYmXL%2B6ELmREaVwDy%2BlvODTNb0%3D&reserved=0"
moz-do-not-send="true"><span
style="font-size:11.0pt">https://github.com/cabforum/code-signing/pull/34/commits/9288f7ec376b4bbd139dcb596bcb2d1bf9bd7683</span></a></span><span
style="font-size:11.0pt" lang="EN-US">) based on
the below. </span><span lang="EN-US"><a
id="OWAAM1110A1362D438B4BADD95FD51E9651CD"
href="mailto:dzacharo@harica.gr"
moz-do-not-send="true"><span
style="font-size:11.0pt;font-family:"Aptos",sans-serif;text-decoration:none">@Dimitris
Zacharopoulos (HARICA)</span></a></span><span
style="font-size:11.0pt" lang="EN-US"> I
replaced “deleted” with “destroyed” in your
proposal, as I believe it would fit better in
that section.</span><span lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"
lang="EN-US"> </span><span lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"
lang="EN-US">Are there any further comments? If
not I will start the official discussion period
in the next few days.</span><span lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"
lang="EN-US"> </span><span lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"
lang="EN-US">Regards,<br>
<br>
Martijn</span><span lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"
lang="EN-US"> </span><span lang="EN-US"><o:p></o:p></span></p>
<div id="mail-editor-reference-message-container">
<div>
<div
style="border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0cm 0cm 0cm">
<p class="MsoNormal"
style="margin-bottom:12.0pt"><b><span
style="font-size:12.0pt;color:black"
lang="EN-US">From: </span></b><span
style="font-size:12.0pt;color:black"
lang="EN-US">Cscwg-public <</span><span
lang="EN-US"><a
href="mailto:cscwg-public-bounces@cabforum.org" moz-do-not-send="true"><span
style="font-size:12.0pt">cscwg-public-bounces@cabforum.org</span></a></span><span
style="font-size:12.0pt;color:black"
lang="EN-US">> on behalf of Martijn
Katerbarg via Cscwg-public <</span><span
lang="EN-US"><a
href="mailto:cscwg-public@cabforum.org"
moz-do-not-send="true"><span
style="font-size:12.0pt">cscwg-public@cabforum.org</span></a></span><span
style="font-size:12.0pt;color:black"
lang="EN-US">><br>
<b>Date: </b>Monday, 11 March 2024 at
09:51<br>
<b>To: </b>Dimitris Zacharopoulos
(HARICA) <</span><span lang="EN-US"><a
href="mailto:dzacharo@harica.gr"
moz-do-not-send="true"><span
style="font-size:12.0pt">dzacharo@harica.gr</span></a></span><span
style="font-size:12.0pt;color:black"
lang="EN-US">>, </span><span
lang="EN-US"><a
href="mailto:cscwg-public@cabforum.org"
moz-do-not-send="true"><span
style="font-size:12.0pt">cscwg-public@cabforum.org</span></a></span><span
style="font-size:12.0pt;color:black"
lang="EN-US"> <</span><span
lang="EN-US"><a
href="mailto:cscwg-public@cabforum.org"
moz-do-not-send="true"><span
style="font-size:12.0pt">cscwg-public@cabforum.org</span></a></span><span
style="font-size:12.0pt;color:black"
lang="EN-US">><br>
<b>Subject: </b>Re: [Cscwg-public]
Timestamp Certificate and SubCA updates</span><span
lang="EN-US"><o:p></o:p></span></p>
</div>
<div
style="border:solid black 1.0pt;padding:2.0pt 2.0pt 2.0pt 2.0pt">
<p class="MsoNormal"
style="line-height:12.0pt;background:#FAFA03"><span
style="font-family:"Calibri",sans-serif;color:black"
lang="EN-US">CAUTION: This email
originated from outside of the
organization. Do not click links or open
attachments unless you recognize the
sender and know the content is safe.</span><span
lang="EN-US"><o:p></o:p></span></p>
</div>
<p class="MsoNormal"><span
style="font-size:12.0pt" lang="EN-US"> </span><span
lang="EN-US"><o:p></o:p></span></p>
<div>
<div>
<p class="MsoNormal"><span
style="font-size:11.0pt" lang="EN-US">Works
for me on both fronts. I’ll leave the
discussion open for a bit so others can
add on.</span><span lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt" lang="EN-US"> </span><span
lang="EN-US"><o:p></o:p></span></p>
<div
id="mail-editor-reference-message-container">
<div>
<div
style="border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0cm 0cm 0cm">
<p class="MsoNormal"
style="margin-bottom:12.0pt"><b><span
style="font-size:11.0pt;color:black" lang="EN-US">From: </span></b><span
style="font-size:11.0pt;color:black" lang="EN-US">Dimitris Zacharopoulos
(HARICA) <</span><span
lang="EN-US"><a
href="mailto:dzacharo@harica.gr"
moz-do-not-send="true"><span
style="font-size:11.0pt">dzacharo@harica.gr</span></a></span><span
style="font-size:11.0pt;color:black" lang="EN-US">><br>
<b>Date: </b>Monday, 11 March
2024 at 09:48<br>
<b>To: </b>Martijn Katerbarg <</span><span
lang="EN-US"><a
href="mailto:martijn.katerbarg@sectigo.com" moz-do-not-send="true"><span
style="font-size:11.0pt">martijn.katerbarg@sectigo.com</span></a></span><span
style="font-size:11.0pt;color:black" lang="EN-US">>, </span><span
lang="EN-US"><a
href="mailto:cscwg-public@cabforum.org" moz-do-not-send="true"><span
style="font-size:11.0pt">cscwg-public@cabforum.org</span></a></span><span
style="font-size:11.0pt;color:black" lang="EN-US"> <</span><span
lang="EN-US"><a
href="mailto:cscwg-public@cabforum.org" moz-do-not-send="true"><span
style="font-size:11.0pt">cscwg-public@cabforum.org</span></a></span><span
style="font-size:11.0pt;color:black" lang="EN-US">><br>
<b>Subject: </b>Re:
[Cscwg-public] Timestamp
Certificate and SubCA updates</span><span
lang="EN-US"><o:p></o:p></span></p>
</div>
<div
style="border:solid black 1.0pt;padding:2.0pt 2.0pt 2.0pt 2.0pt">
<p class="MsoNormal"
style="line-height:12.0pt;background:#FAFA03"><span
style="font-family:"Calibri",sans-serif;color:black"
lang="EN-US">CAUTION: This email
originated from outside of the
organization. Do not click links
or open attachments unless you
recognize the sender and know the
content is safe.</span><span
lang="EN-US"><o:p></o:p></span></p>
</div>
<p class="MsoNormal"><span
style="font-size:12.0pt"
lang="EN-US"> </span><span
lang="EN-US"><o:p></o:p></span></p>
<div>
<p class="MsoNormal"
style="margin-bottom:12.0pt"><span
style="font-size:11.0pt"
lang="EN-US"> </span><span
lang="EN-US"><o:p></o:p></span></p>
<div>
<p class="MsoNormal"><span
style="font-size:11.0pt"
lang="EN-US">On 11/3/2024 10:32
π.μ., Martijn Katerbarg wrote:</span><span
lang="EN-US"><o:p></o:p></span></p>
</div>
<blockquote
style="margin-top:5.0pt;margin-bottom:5.0pt">
<div>
<p class="MsoNormal"><span
style="font-size:11.0pt"
lang="EN-US">Thanks Dimitris,
I’ve reviewed and accepted the
suggestions. </span><span
lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt"
lang="EN-US"> </span><span
lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt"
lang="EN-US">> witnessed by
members of two different
Trusted Roles (not by two
Trusted Role Members, i.e. you
can't use two persons of the
same Trusted Role).</span><span
lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt"
lang="EN-US"> </span><span
lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt"
lang="EN-US">TBH, I’m not sure
why it couldn’t be two persons
of the same Trusted Role?</span><span
lang="EN-US"><o:p></o:p></span></p>
</div>
</blockquote>
<p class="MsoNormal"
style="margin-bottom:12.0pt"><span
style="font-size:12.0pt"
lang="EN-US"><br>
I'm not a native English speaker
but I think "Roles" (plural)
points to the different types of
Roles, while "Trusted Role
members" would point to different
Members in any Trusted Role. If
the intent is to have a 4-eye
principle control from any Trusted
Role, we can make it clearer by
using the "Trusted Role members"
phrase.</span><span lang="EN-US"><o:p></o:p></span></p>
<blockquote
style="margin-top:5.0pt;margin-bottom:5.0pt">
<div>
<p class="MsoNormal"><span
style="font-size:11.0pt"
lang="EN-US"> </span><span
lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt"
lang="EN-US">> In general,
a "key destruction" ceremony
includes the deletion of all
copies of the key, including
copies that reside in backups.
If we require a "key
destruction" ceremony, the
"restore key" case is
nonsensical. We probably need
to work on this some more so
that we all have the same
understanding and
expectations.</span><span
lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"
style="margin-bottom:12.0pt"><span
style="font-size:11.0pt"
lang="EN-US">> It's ok to
keep the keys in backups but
if you happen to restore them
in an HSM, you must not use
them to sign anything. If a
CA/TSA can also "destroy" the
key, meaning that all copies
of that private key can be
unequivocally/securely deleted
(i.e. without a way to recover
the key), including any
instance of the key as part of
a backup, the better!</span><span
lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt"
lang="EN-US">Agreed in general
regarding the Key Destruction
ceremony. However having to
also destroy the backup of the
key, and do this again for any
next key every 18 months, can
be a lengthy procedure,
specially if backups are
stored securely and offline in
different places around the
world. That’s why for this
case we specifically call out
that backups don’t need to be
destroyed. </span><span
lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt"
lang="EN-US"> </span><span
lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt"
lang="EN-US">But your point on
an HSM restoring an entire
partition and that violating
the requirement, is valid. </span><span
lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt"
lang="EN-US"> </span><span
lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt"
lang="EN-US">For reference,
the current proposed language
is:</span><span lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><i><span
style="font-size:11.0pt"
lang="EN-US">The CA MAY
maintain existing backup
sets containing the Private
Key corresponding to a
Timestamp Certificate. The
CA MUST NOT restore the
Private Key corresponding to
a Timestamp Certificate
contained within the backup
if the Timestamp Certificate
was issued more than 15
months prior to restoration
of the backup.</span></i><span
lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><i><span
style="font-size:11.0pt"
lang="EN-US"> </span></i><span
lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt"
lang="EN-US">What about we
once more use the NSR language
and state:</span><span
lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><i><span
style="font-size:11.0pt"
lang="EN-US">The CA MAY
maintain existing backup
sets containing the Private
Key corresponding to a
Timestamp Certificate. The
CA SHOULD NOT restore the
Private Key corresponding to
a Timestamp Certificate
contained within the backup
if the Timestamp Certificate
was issued more than 15
months prior to restoration
of the backup. If the CA
does restore such a Private
Key, the CA SHALL only
restore the Private Key in a
suitable HSM while it’s
maintained in a High
Security Zone and in an
offline state or air-gapped
from all other networks and
perform a new key
destruction ceremony prior
to the HSM being brought to
an online state.</span></i><span
lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><i><span
style="font-size:11.0pt"
lang="EN-US"> </span></i><span
lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt"
lang="EN-US">Thoughts? </span><span
lang="EN-US"><o:p></o:p></span></p>
</div>
</blockquote>
<p class="MsoNormal"
style="margin-bottom:12.0pt"><span
style="font-size:12.0pt"
lang="EN-US"><br>
If we want to allow the existence
of a key in a backup, IMHO we
should avoid using the "key
destruction" language. How about
the following:<br>
<br>
Modify</span><span lang="EN-US"><o:p></o:p></span></p>
<blockquote
style="margin-top:5.0pt;margin-bottom:5.0pt">
<p class="MsoNormal"><i><span
style="font-size:12.0pt"
lang="EN-US">For Timestamp
Certificates issued on or
after June 1, 2024, the CA
SHALL log the removal of the
Private Key from the Hardware
Crypto Module through means of
a key destruction ceremony
performed by the CA and
witnessed and signed-off by at
least two Trusted Roles.</span></i><span
lang="EN-US"><o:p></o:p></span></p>
</blockquote>
<p class="MsoNormal"
style="margin-bottom:12.0pt"><span
style="font-size:12.0pt"
lang="EN-US"><br>
to</span><span lang="EN-US"><o:p></o:p></span></p>
<blockquote
style="margin-top:5.0pt;margin-bottom:5.0pt">
<p class="MsoNormal"><i><span
style="font-size:12.0pt"
lang="EN-US">For Timestamp
Certificates issued on or
after June 1, 2024, the CA
SHALL log the removal of the
Private Key from the Hardware
Crypto Module through means of
a key <span
style="color:blue">deletion
</span>ceremony performed by
the CA and witnessed and
signed-off by at least two <span
style="color:blue">Trusted
Role members</span>. <span
style="color:blue">The CA
MAY also perform a key
destruction ceremony, </span></span></i><span
style="font-size:12.0pt;color:blue" lang="EN-US">meaning that all copies
of that private key are
unequivocally/securely deleted
(i.e. without a way to recover
the key), including any instance
of the key as part of a backup,
to satisfy this requirement</span><span
style="font-size:12.0pt"
lang="EN-US">.</span><span
lang="EN-US"><o:p></o:p></span></p>
</blockquote>
<p class="MsoNormal"
style="margin-bottom:12.0pt"><span
style="font-size:12.0pt"
lang="EN-US"><br>
Thanks,<br>
Dimitris.</span><span lang="EN-US"><o:p></o:p></span></p>
<blockquote
style="margin-top:5.0pt;margin-bottom:5.0pt">
<div>
<p class="MsoNormal"><i><span
style="font-size:11.0pt"
lang="EN-US"> </span></i><span
lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt"
lang="EN-US">As a side-note, I
wonder if there’s a task for
the NSWG (or Definitions WG
once it’s setup) to define
terms for online and offline
HSMs</span><span lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt"
lang="EN-US"> </span><span
lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt"
lang="EN-US"> </span><span
lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt"
lang="EN-US"> </span><span
lang="EN-US"><o:p></o:p></span></p>
<div
id="mail-editor-reference-message-container">
<div>
<div
style="border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0cm 0cm 0cm">
<p class="MsoNormal"
style="margin-bottom:12.0pt"><b><span
style="font-size:11.0pt;color:black" lang="EN-US">From: </span></b><span
style="font-size:11.0pt;color:black" lang="EN-US">Cscwg-public </span><span
lang="EN-US"><a
href="mailto:cscwg-public-bounces@cabforum.org" moz-do-not-send="true"><span
style="font-size:11.0pt"><cscwg-public-bounces@cabforum.org></span></a></span><span
style="font-size:11.0pt;color:black" lang="EN-US"> on behalf of Dimitris
Zacharopoulos (HARICA)
via Cscwg-public </span><span
lang="EN-US"><a
href="mailto:cscwg-public@cabforum.org" moz-do-not-send="true"><span
style="font-size:11.0pt"><cscwg-public@cabforum.org></span></a></span><span
style="font-size:11.0pt;color:black" lang="EN-US"><br>
<b>Date: </b>Sunday, 10
March 2024 at 10:30<br>
<b>To: </b></span><span
lang="EN-US"><a
href="mailto:cscwg-public@cabforum.org" moz-do-not-send="true"><span
style="font-size:11.0pt">cscwg-public@cabforum.org</span></a></span><span
style="font-size:11.0pt;color:black" lang="EN-US"> </span><span
lang="EN-US"><a
href="mailto:cscwg-public@cabforum.org" moz-do-not-send="true"><span
style="font-size:11.0pt"><cscwg-public@cabforum.org></span></a></span><span
style="font-size:11.0pt;color:black" lang="EN-US"><br>
<b>Subject: </b>Re:
[Cscwg-public] Timestamp
Certificate and SubCA
updates</span><span
lang="EN-US"><o:p></o:p></span></p>
</div>
<div
style="border:solid black 1.0pt;padding:2.0pt 2.0pt 2.0pt 2.0pt">
<p class="MsoNormal"
style="line-height:12.0pt;background:#FAFA03"><span
style="font-family:"Calibri",sans-serif;color:black"
lang="EN-US">CAUTION:
This email originated
from outside of the
organization. Do not
click links or open
attachments unless you
recognize the sender and
know the content is
safe.</span><span
lang="EN-US"><o:p></o:p></span></p>
</div>
<p class="MsoNormal"><span
style="font-size:12.0pt"
lang="EN-US"> </span><span
lang="EN-US"><o:p></o:p></span></p>
<div>
<p class="MsoNormal"
style="margin-bottom:12.0pt"><span style="font-size:11.0pt" lang="EN-US">Hi
Martijn,<br>
<br>
Two suggestions
submitted on GitHub.<br>
<br>
Regarding the
prohibition of restoring
a private key of a
Timestamp Certificate,
I'm not sure how
universal this can be
because some HSMs
restore an entire
slot/partition, which
might contain Private
Keys associated with
obsolete Timestamp
Certificates. As the
ballot is written, such
an action would be a
violation.<br>
<br>
In general, a "key
destruction" ceremony
includes the deletion of
all copies of the key,
including copies that
reside in backups. If we
require a "key
destruction" ceremony,
the "restore key" case
is nonsensical. We
probably need to work on
this some more so that
we all have the same
understanding and
expectations.<br>
<br>
Let me restate the
intent of this
requirement as discussed
all this time, and
please correct me if I'm
wrong.<br>
<br>
IMO, the goal is to put
the keys associated with
Timestamp Certificates
out of use, 15 months
after the <i>notBefore
</i>of the Timestamp
Certificate. <br>
<br>
In order to achieve some
level of assurance for
this action, the
proposal is to delete
the keys from the HSM 18
months after the <i>notBefore
</i>of the Timestamp
Certificate, in an
audited way, witnessed
by members of two
different Trusted Roles
(not by two Trusted Role
Members, i.e. you can't
use two persons of the
same Trusted Role). <br>
<br>
It's ok to keep the keys
in backups but if you
happen to restore them
in an HSM, you must not
use them to sign
anything. If a CA/TSA
can also "destroy" the
key, meaning that all
copies of that private
key can be
unequivocally/securely
deleted (i.e. without a
way to recover the key),
including any instance
of the key as part of a
backup, the better!<br>
<br>
Thoughts?<br>
<br>
Dimitris.</span><span
lang="EN-US"><o:p></o:p></span></p>
<div>
<p class="MsoNormal"><span
style="font-size:11.0pt" lang="EN-US">On 6/3/2024 2:07 μ.μ., Martijn
Katerbarg via
Cscwg-public wrote:</span><span
lang="EN-US"><o:p></o:p></span></p>
</div>
<blockquote
style="margin-top:5.0pt;margin-bottom:5.0pt">
<div>
<p class="MsoNormal"><span
style="font-size:11.0pt" lang="EN-US">All,</span><span lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt" lang="EN-US"> </span><span lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt" lang="EN-US">As discussed last week, I’d send
out the draft
language for this
ballot once more
before starting the
discussion period.
The latest version
can be found in </span><span
lang="EN-US"><a
href="https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fcabforum%2Fcode-signing%2Fpull%2F34&data=05%7C02%7Cmartijn.katerbarg%40sectigo.com%7C6b3466de38b944c4e95508dc54d04b7f%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C638478500818451355%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=xFI1fEshQ6bVGbv7Fkhiq50yu3aQVtlnHsItYzjbHnc%3D&reserved=0"
moz-do-not-send="true"><span style="font-size:11.0pt">https://github.com/cabforum/code-signing/pull/34</span></a><o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt" lang="EN-US"> </span><span lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt" lang="EN-US">I’ve made changes this morning to
add 3 effective
dates, these are:</span><span
lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt" lang="EN-US"> </span><span lang="EN-US"><o:p></o:p></span></p>
<ol
style="margin-top:0cm"
type="1" start="1">
<li
class="MsoListParagraph" style="margin-left:0cm;mso-list:l0 level1 lfo2"><span
style="font-size:11.0pt" lang="EN-US">For the removal of private keys
associated with
timestamp
certificates,
effective June 1<sup>st</sup>,
2024, CAs will
need to properly
log the removal of
said key. </span><span
lang="EN-US"><o:p></o:p></span></li>
</ol>
<ol
style="margin-top:0cm"
type="1" start="1">
<ol
style="margin-top:0cm" type="1" start="1">
<li
class="MsoListParagraph" style="margin-left:0cm;mso-list:l5 level2 lfo3"><span
style="font-size:11.0pt" lang="EN-US">While I expect CAs to already
properly log
this for audit
purposes even
now, there may
be exceptions
for when this
has not been
done, for
example a
private key or
timestamp
certificate that
was signed maybe
20 years ago.
This language is
added to avoid
any confusion on
from what point
there needs to
be an audit
trail</span><span
lang="EN-US"><o:p></o:p></span></li>
</ol>
</ol>
<ol
style="margin-top:0cm"
type="1" start="1">
<li
class="MsoListParagraph" style="margin-left:0cm;mso-list:l2 level1 lfo4"><span
style="font-size:11.0pt" lang="EN-US">Effective April 15, 2025, private
keys associated
with SubCAs
containing the
“Time Stamping”
EKU will need to
be placed in
offline HSMs.</span><span
lang="EN-US"><o:p></o:p></span></li>
</ol>
<ol
style="margin-top:0cm"
type="1" start="1">
<ol
style="margin-top:0cm" type="1" start="1">
<li
class="MsoListParagraph" style="margin-left:0cm;mso-list:l4 level2 lfo5"><span
style="font-size:11.0pt" lang="EN-US">I believe a roughly one year
effective date
is appropriate
here, since CAs
may need to move
keys from one
HSM to another.</span><span
lang="EN-US"><o:p></o:p></span></li>
</ol>
</ol>
<ol
style="margin-top:0cm"
type="1" start="1">
<li
class="MsoListParagraph" style="margin-left:0cm;mso-list:l6 level1 lfo6"><span
style="font-size:11.0pt" lang="EN-US">For private keys associated with
timestamp
certificates that
were issued for
greater than 15
months, CAs will
need to remove the
private keys 18
months after
certificate
issuance, starting
April 15, 2025.</span><span
lang="EN-US"><o:p></o:p></span></li>
</ol>
<ol
style="margin-top:0cm"
type="1" start="1">
<ol
style="margin-top:0cm" type="1" start="1">
<li
class="MsoListParagraph" style="margin-left:0cm;mso-list:l3 level2 lfo7"><span
style="font-size:11.0pt" lang="EN-US">Likewise, I feel like anything
involving HSM
process changes,
should have a
longer effective
date, and it
makes sense to
align this with
the effective
date above.</span><span
lang="EN-US"><o:p></o:p></span></li>
</ol>
</ol>
<p class="MsoNormal"><span
style="font-size:11.0pt" lang="EN-US"> </span><span lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt" lang="EN-US">I’ll start a ballot on this early
next week, unless
there is concern
with the above. </span><span
lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt" lang="EN-US"> </span><span lang="EN-US"><o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt" lang="EN-US">Regards,<br>
<br>
Martijn</span><span
lang="EN-US"><o:p></o:p></span></p>
</div>
<p class="MsoNormal"
style="margin-bottom:12.0pt"><span style="font-size:11.0pt" lang="EN-US"> </span><span
lang="EN-US"><o:p></o:p></span></p>
<pre><span lang="EN-US">_______________________________________________<o:p></o:p></span></pre>
<pre><span lang="EN-US">Cscwg-public mailing list<o:p></o:p></span></pre>
<pre><span lang="EN-US"><a
href="mailto:Cscwg-public@cabforum.org" moz-do-not-send="true"
class="moz-txt-link-freetext">Cscwg-public@cabforum.org</a><o:p></o:p></span></pre>
<pre><span lang="EN-US"><a
href="https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.cabforum.org%2Fmailman%2Flistinfo%2Fcscwg-public&data=05%7C02%7Cmartijn.katerbarg%40sectigo.com%7C6b3466de38b944c4e95508dc54d04b7f%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C638478500818457689%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=auRwiJgcdQwhLAicHeqXhVIawOMAwJkM6odGMr%2BRYOY%3D&reserved=0"
moz-do-not-send="true">https://lists.cabforum.org/mailman/listinfo/cscwg-public</a><o:p></o:p></span></pre>
</blockquote>
<p class="MsoNormal"><span
style="font-size:12.0pt"
lang="EN-US"> </span><span
lang="EN-US"><o:p></o:p></span></p>
</div>
</div>
</div>
</div>
</blockquote>
<p class="MsoNormal"><span
style="font-size:12.0pt"
lang="EN-US"> </span><span
lang="EN-US"><o:p></o:p></span></p>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
<br>
<fieldset class="moz-mime-attachment-header"></fieldset>
<pre class="moz-quote-pre" wrap="">_______________________________________________
Cscwg-public mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Cscwg-public@cabforum.org">Cscwg-public@cabforum.org</a>
<a class="moz-txt-link-freetext" href="https://lists.cabforum.org/mailman/listinfo/cscwg-public">https://lists.cabforum.org/mailman/listinfo/cscwg-public</a>
</pre>
</blockquote>
</body>
</html>