[Cscwg-public] Adobe AATL end entity key storage requirements

Tomas Gustavsson tomas.gustavsson at primekey.com
Thu Jan 23 08:47:13 MST 2020


Hi,

As discussed in the last CscwG meeting, I would look how AATL specifies
key storage of end entity key material, so we have something to compare
with the wording in the current Baseline requirements for Issuance and
Management of Code Signing Guidelines, section 16.3.
https://cabforum.org/wp-content/uploads/Baseline-Requirements-for-the-Issuance-and-Management-of-Code-Signing-Certificates.v.1.2.pdf

There is a corresponding(?), but differently worded section in the EV
Code Signing Certificate Guidelines, section 16.4.
https://cabforum.org/wp-content/uploads/EV-Code-Signing-v.1.4.pdf

The similar section in the AATL is in section EE4 (Requirements for
End-entity certificates).
https://helpx.adobe.com/content/dam/help/en/acrobat/kb/approved-trust-list2/_jcr_content/main-pars/download-section/download-1/aatl_technical_requirements_v2.0.pdf

So we have now 3 variants of the (I believe) same purpose.

The EV guidelines are shortest, and the AATL are most detailed. It's
often bit of a mix between the technical requirements (keep the key
secured) and how to validate it. The EV guidelines are more tailored
towards how to validate it, which requires an audit of the end entity
unless some key attestation can be achieved (which is not possible in
many HSMs). The Baseline requirements are more technical, specifying a
device + adding validation method for TPMs, but not for the other types.
The AATL is quite technical, but not providing CAs with guidance how to
validate it.

Doesn't it make sense to at least divide technical requirements on key
generation and protection, and how CAs should validate that those
technical requirements have been met?

Regards,
Tomas


More information about the Cscwg-public mailing list