[Cscwg-public] Signing Service Model

Bruce Morton Bruce.Morton at entrustdatacard.com
Mon Aug 24 12:11:22 MST 2020

I was working on separating the warranties of the CA and the Signing Service. In review it is starting to get confusing, as such it would be great to discuss the Signing Service model. I believe that it can be based in 2 ways:

  1.  Signing Authority - In this case the SA has its own certificates with keys guaranteed to be managed on an HSM. The old requirement allowed these certificates to be valid up to 135 months. The SA could then verify entities that would like their code signed. The SA could then sign the code using the SA's keys. The code signature could be valid for 135 months.
  2.  Subscriber Key Hosting and Signing Service - In this case the Subscriber must be verified and can then have their keys hosted on an HSM by the CA or a third party. When the Subscriber wants to sign, they have to authenticate and use the signing service which will use their key. The certificate has a validity period of 39 months.

Please advise if there are other models.

I don't believe that anyone is using the item 1 model. We have also reduced the validity period to 39 months.

The item 2 model appears to allow the keys to be hosted by the CA or a third party. Could this be a cloud provider. If cloud provider is included, then I don't think that we can push out the Signing Service requirements to the cloud providers.

I think we should define the model(s) that we want to support, then update the BRs to support these model(s).

This should work with the key protection which Ian will be proposing for section 16.3.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/cscwg-public/attachments/20200824/2c3cac41/attachment.html>

More information about the Cscwg-public mailing list