[Cscwg-public] FW: Ballot CSC-2: Consolidate Baseline and EV CSCWG Document

Atsushi Inaba atsushi.inaba at globalsign.com
Wed Jul 15 22:21:59 MST 2020


Dear Bruce,



Thank you for preparing the Ballot.



Could you let me make sure of a couple of things about

"16.3 Subscriber Private Key Protection"?



I suppose that the first half of this section is quoted

from the BRs for Non-EV Code Signing Certificates, and

the latter part is quoted from the Guidelines for EV

Code Signing Certificates. If so, when I see current

description, it seems me little difficult to distinguish

the requirements for EV Code Signing Certificates.



I feel it's better to edit the item 4 as follows;



------------------------------------------------------------



16.3 Subscriber Private Key Protection



For Non-EV Code Signing Certificates, the CA MUST obtain

a representation from the Subscriber that the Subscriber

will use one of the following options to generate and

protect their Code Signing Certificate private keys:



1. A Trusted Platform Module (TPM) that generates and

   secures a key pair and that can document the Subscriber’s

   private key protection through a TPM key attestation.



2. A hardware crypto module with a unit design form factor

   certified as conforming to at least FIPS 140 Level 2,

   Common Criteria EAL 4+, or equivalent.



3. Another type of hardware storage token with a unit design

   form factor of SD Card or USB token (not necessarily

   certified as conformant with FIPS 140 Level 2 or Common

   Criteria EAL 4+). The Subscriber MUST also warrant that it

   will keep the token physically separate from the device that

   hosts the code signing function until a signing session is begun.



For Non-EV Code Signing Certificates, a CA MUST recommend that

the Subscriber protect Private Keys using the method described in

Section 16.3(1) or 16.3(2) over the method described in Section

16.3(3) and obligate the Subscriber to protect Private Keys in

accordance with 10.3.2(2).



For EV Code Signing Certificates, CAs SHALL ensure that the

Subscriber’s private key is generated, stored and used in a

crypto module that meets or exceeds the requirements of FIPS

140-2 level 2. Acceptable methods of satisfying this requirement

include (but are not limited to) the following:



4. The CA ships a suitable hardware crypto module, with a

   preinstalled key pair, in the form of a smartcard or USB

   device or similar;



5. The Subscriber counter-signs certificate requests that can be

   verified by using a manufacturer’s certificate indicating that

   the key is managed in a suitable hardware module;



6. The Subscriber provides a suitable IT audit indicating that its

   operating environment achieves a level of security at least

   equivalent to that of FIPS 140-2 level 2.



----------------------------------------------------------------------



P.S.

Please forgive me if I missed the points.





Best regards,

Atsushi Inaba



―――――――――――――――――――――――――――――

GMO GlobalSign K.K.



Business Planning

Atsushi Inaba



1-2-3, Dogenzaka, Shibuya Ku, Tokyo, Japan

150-0043



TEL: +81-3-6370-6671

FAX: +81-3-6370-6505

E-MAIL: atsushi.inaba at globalsign.com

URL:https://jp.globalsign.com/

―――――――――――――――――――――――――――――

THANK YOU 24 YEARS Internet for Everyone

―――――――――――――――――――――――――――――

■ GMO INTERNET GROUP ■ http://www.gmo.jp/

―――――――――――――――――――――――――――――

This e-mail message is intended to be conveyed only to the

designated recipient(s). If you are NOT the intended

recipient(s) of this e-mail, please kindly notify the sender

immediately and delete the original message from your system.



From: Cscwg-public <cscwg-public-bounces at cabforum.org> On Behalf Of Bruce
Morton via Cscwg-public
Sent: Wednesday, July 15, 2020 6:36 AM
To: cscwg-public at cabforum.org
Subject: [Cscwg-public] FW: Ballot CSC-2: Consolidate Baseline and EV CSCWG
Document



Here is the ballot to the public list for discussion. The discussion period
will be extended to minimum 7 days from today, so will end no earlier than
21 July 2020, 22:00 UTC.



Thanks, Bruce.



From: Bruce Morton
Sent: Thursday, July 9, 2020 8:58 AM
To: cscwg-management at cabforum.org
Subject: Ballot CSC-2: Consolidate Baseline and EV CSCWG Document



This begins the discussion period for the Ballot CSC-2: Consolidate Baseline
and EV CSCWG Document



Purpose of Ballot:



The CA/Browser Forum currently has two code signing requirements documents:
1) Baseline Requirements for the Issuance and Management of Publicly‐
Trusted Code Signing Certificates and 2) Guidelines For The Issuance And
Management Of Extended Validation Code Signing Certificates. The two
documents are in similar format and cover many of the same requirements. CAs
which issue both types of certificates must adhere to both documents and
must be audited to two sets of criteria. CA/Browser Forum members also need
to manage two sets of criteria. Auditors need to manage two sets of audit
criteria.



The greater goal is to 1) migrate the documents into one document which will
manage the requirements of both EV and non-EV code signing certificates, 2)
reformat the document to be in the RFC 3647 format which will be in line
with CPS format requirements and 3) change and manage the requirements in an
ongoing process.



This ballot addresses item 1 of the process. The migration started with
using the Baseline Requirements for Code Signing and adding in the EV Code
Signing Requirements. The process was to minimize technical change although
there was some change to allow merging. The process was not to correct
issues, but a “parking lot” list was created to capture changes to be
addressed in the future.



The following motion has been proposed by Bruce Morton of Entrust and
endorsed by Mike Reilly of Microsoft and Dean Coclin of DigiCert.



--- MOTION BEGINS ---



This ballot modifies the “Baseline Requirements for the Issuance and
Management of Publicly‐Trusted Code Signing Certificates” based on Version
1.2 and removes the requirements for “Guidelines For The Issuance And
Management Of Extended Validation Code Signing Certificates” based on
Version 1.4. A redline update is attached.



Be it resolved that the CA / Browser Forum adopts the attached CA/B Forum
Baseline Requirements for the Issuance and Management of Publicly‐Trusted
Code Signing Certificates version 2.0 effective upon adoption.



--- MOTION ENDS ---



This ballot proposes a Final Maintenance Guideline.

The procedure for approval of this ballot is as follows:

Discussion (7+ days)

Start Time: 9 July 2020 17:00:00 UTC

End Time: 16 July 2020 17:00:00 UTC

Vote for approval (7 days)



Start Time: TBD



End Time: TBD

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/cscwg-public/attachments/20200716/f1f91520/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5611 bytes
Desc: not available
URL: <http://lists.cabforum.org/pipermail/cscwg-public/attachments/20200716/f1f91520/attachment-0001.p7s>


More information about the Cscwg-public mailing list