<!DOCTYPE html>
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
<p>I concur with Christophe.</p>
<p>Adriano</p>
<p><br>
</p>
<div class="moz-cite-prefix">Il 12/04/2024 16:30, Christophe Bonjean
via Cscwg-public ha scritto:<br>
</div>
<blockquote type="cite"
cite="mid:0100018ed2b7a3a7-bb41b7eb-05bf-4351-80ac-75a84995dedf-000000@email.amazonses.com">
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<meta name="Generator"
content="Microsoft Word 15 (filtered medium)">
<style>@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}@font-face
{font-family:Aptos;}p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
font-size:11.0pt;
font-family:"Aptos",sans-serif;
mso-ligatures:standardcontextual;}a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#467886;
text-decoration:underline;}p.null, li.null, div.null
{mso-style-name:null;
mso-margin-top-alt:auto;
margin-right:0cm;
mso-margin-bottom-alt:auto;
margin-left:0cm;
font-size:12.0pt;
font-family:"Aptos",sans-serif;}span.apple-converted-space
{mso-style-name:apple-converted-space;}span.pl-mh
{mso-style-name:pl-mh;}span.EmailStyle24
{mso-style-type:personal-reply;
font-family:"Arial",sans-serif;
color:windowtext;
font-weight:normal;
font-style:normal;}.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;
mso-ligatures:none;}div.WordSection1
{page:WordSection1;}ol
{margin-bottom:0cm;}ul
{margin-bottom:0cm;}</style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
<div class="WordSection1">
<p class="MsoNormal"><span
style="font-size:10.0pt;font-family:"Arial",sans-serif"
lang="NL-BE">Hi Martijn,<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:10.0pt;font-family:"Arial",sans-serif"
lang="NL-BE"><o:p> </o:p></span></p>
<p class="MsoNormal"><span
style="font-size:10.0pt;font-family:"Arial",sans-serif">Looking
at the purpose of the ballot, the goal is to require <b>newly
issued</b> [..] <b>Private Keys </b>to be stored in
offline HSMs<b>.<o:p></o:p></b></span></p>
<p class="MsoNormal"><b><span
style="font-size:10.0pt;font-family:"Arial",sans-serif"><o:p> </o:p></span></b></p>
<p class="MsoNormal"><span
style="font-size:10.0pt;font-family:"Arial",sans-serif">The
proposed change scopes this change to [keys related to] Root
CA certificates and <b>new Subordinate CA certificates</b><o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:10.0pt;font-family:"Arial",sans-serif"><o:p> </o:p></span></p>
<p class="MsoNormal"><span
style="font-size:10.0pt;font-family:"Arial",sans-serif">I
would recommend to scope this change to Private Keys
generated after the effective date, instead of linking it to
the issuing date of the Subordinate CA Certificate for those
keys. <o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:10.0pt;font-family:"Arial",sans-serif"><o:p> </o:p></span></p>
<p class="MsoNormal"><span
style="font-size:10.0pt;font-family:"Arial",sans-serif">For
example if a CA issues a new Subordinate CA Certificate
after this date, with an existing Private Key, then the
related Private Key would need to be moved to an offline
state. I think the intention is only for new keys to follow
this requirement.<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:10.0pt;font-family:"Arial",sans-serif"><o:p> </o:p></span></p>
<div>
<p class="MsoNormal"><span
style="font-size:10.0pt;font-family:"Arial",sans-serif;mso-ligatures:none">Christophe<o:p></o:p></span></p>
</div>
<p class="MsoNormal"><span
style="font-size:10.0pt;font-family:"Arial",sans-serif"><o:p> </o:p></span></p>
<div>
<div
style="border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0cm 0cm 0cm">
<p class="MsoNormal"><b><span
style="font-family:"Calibri",sans-serif;mso-ligatures:none">From:</span></b><span
style="font-family:"Calibri",sans-serif;mso-ligatures:none">
Cscwg-public <a class="moz-txt-link-rfc2396E" href="mailto:cscwg-public-bounces@cabforum.org"><cscwg-public-bounces@cabforum.org></a> <b>On
Behalf Of </b>Martijn Katerbarg via Cscwg-public<br>
<b>Sent:</b> Monday, April 8, 2024 9:32 AM<br>
<b>To:</b> <a class="moz-txt-link-abbreviated" href="mailto:cscwg-public@cabforum.org">cscwg-public@cabforum.org</a><br>
<b>Subject:</b> [Cscwg-public] [Discussion Period
Begins] CSC-24 (v2): Timestamping Private Key Protection<o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<p><strong><span
style="font-family:"Aptos",sans-serif;color:#212121">Purpose
of the Ballot</span></strong><span style="color:#212121"><o:p></o:p></span></p>
<p class="MsoNormal" id="bkmrk-this-ballot-updates-"><span
style="color:#212121">This ballot updates the “Baseline
Requirements for the Issuance and Management of Publicly</span><span
style="font-family:"Cambria Math",serif;color:#212121">‐</span><span
style="color:#212121">Trusted Code Signing Certificates“
version 3.7 in order to clarify language regarding Timestamp
Authority Private Key Protection. The main goals of this
ballot are to:<o:p></o:p></span></p>
<ol id="bkmrk-remove-dependencies-" type="1" start="1">
<li class="null" style="color:#212121;mso-list:l5 level1 lfo3"><span
class="pl-mh"><span style="font-size:11.0pt">Require newly
issued Timestamp Authority Subordinate CA Private Keys
to be stored in offline HSMs</span></span><o:p></o:p></li>
<li class="null" style="color:#212121;mso-list:l5 level1 lfo3"><span
class="pl-mh"><span style="font-size:11.0pt">Add a
requirement to remove Private Keys associated with
Timestamp Certificates after a 18 months</span></span><o:p></o:p></li>
<li class="null" style="color:#212121;mso-list:l5 level1 lfo3"><span
class="pl-mh"><span style="font-size:11.0pt">Add a
requirement to reject SHA-1 timestamp requests</span></span><o:p></o:p></li>
</ol>
<p class="MsoNormal" id="bkmrk-the-following-motion"><span
style="color:#212121">The following motion has been proposed
by Martijn Katerbarg of Sectigo and endorsed by Bruce Morton
of Entrust and Ian McMillan of Microsoft.<o:p></o:p></span></p>
<p class="MsoNormal" id="bkmrk-%C2%A0motion-begins"><span
style="color:#212121"> <strong><span
style="font-family:"Aptos",sans-serif">MOTION
BEGINS</span></strong><o:p></o:p></span></p>
<p class="MsoNormal" id="bkmrk-this-ballot-updates--1"><span
style="color:#212121">This ballot updates the “Baseline
Requirements for the Issuance and Management of Publicly</span><span
style="font-family:"Cambria Math",serif;color:#212121">‐</span><span
style="color:#212121">Trusted Code Signing Certificates”
("Code Signing Baseline Requirements") based on version 3.7.
MODIFY the Code Signing Baseline Requirements as specified
in the following redline:<span class="apple-converted-space"> </span><a
href="https://github.com/cabforum/code-signing/compare/d431d9104094f2b89f35ed4bf1d64b9a844e762b...84e8586846a0c836d5bccbe9ef74593358c5b421"
moz-do-not-send="true" class="moz-txt-link-freetext">https://github.com/cabforum/code-signing/compare/d431d9104094f2b89f35ed4bf1d64b9a844e762b...84e8586846a0c836d5bccbe9ef74593358c5b421</a><o:p></o:p></span></p>
<p id="bkmrk-motion-ends"><strong><span
style="font-family:"Aptos",sans-serif;color:#212121">MOTION
ENDS</span></strong><span style="color:#212121"><o:p></o:p></span></p>
<p class="MsoNormal" id="bkmrk-the-procedure-for-th"><span
style="color:#212121">The procedure for this ballot is as
follows:<o:p></o:p></span></p>
<p id="bkmrk-discussion-%287-days%29"><span
style="color:#212121">Discussion (7 days)<o:p></o:p></span></p>
<ul style="margin-top:0cm" id="bkmrk-start-time%3A-09-09-20"
type="disc">
<li class="MsoNormal"
style="color:#212121;mso-list:l4 level1 lfo6">Start Time:
2024-04-08 09:00 UTC<o:p></o:p></li>
<li class="MsoNormal"
style="color:#212121;mso-list:l4 level1 lfo6">End Time: Not
before 2024-04-15 17:00 UTC<o:p></o:p></li>
</ul>
<p id="bkmrk-vote-for-approval-%287"><span style="color:#212121">Vote
for approval (7 days)<o:p></o:p></span></p>
<ul style="margin-top:0cm" id="bkmrk-start-time%3A-09-16-20"
type="disc">
<li class="MsoNormal"
style="color:#212121;mso-list:l3 level1 lfo9">Start Time:
TBD<o:p></o:p></li>
<li class="MsoNormal"
style="color:#212121;mso-list:l3 level1 lfo9">End Time: TBD<o:p></o:p></li>
</ul>
<p class="MsoNormal"><span style="color:#212121"> <o:p></o:p></span></p>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<br>
<fieldset class="moz-mime-attachment-header"></fieldset>
<pre class="moz-quote-pre" wrap="">_______________________________________________
Cscwg-public mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Cscwg-public@cabforum.org">Cscwg-public@cabforum.org</a>
<a class="moz-txt-link-freetext" href="https://lists.cabforum.org/mailman/listinfo/cscwg-public">https://lists.cabforum.org/mailman/listinfo/cscwg-public</a>
</pre>
</blockquote>
</body>
</html>