[Cscwg-public] Question about "Certificates transported outside of a Signing Service"

Doug Beattie doug.beattie at globalsign.com
Fri Aug 13 18:03:07 UTC 2021


But when 2 people have the private key, all hell could break lose.  I agree
with Bruce, needs more work.

 

From: Cscwg-public <cscwg-public-bounces at cabforum.org> On Behalf Of Doug
Beattie via Cscwg-public
Sent: Friday, August 13, 2021 1:57 PM
To: Corey Bonnell <Corey.Bonnell at digicert.com>; cscwg-public at cabforum.org
Subject: Re: [Cscwg-public] Question about "Certificates transported outside
of a Signing Service"

 

Hi Corey,

 

I'm not sure of the history either, but could this be trying to say:

*	If you envision needing to "take your private key" outside of the
Signing Service Infrastructure, then you must have generated it and provided
it to the Signing Service in the first place (because there is no way to
export keys once inside of the Signing Service Infrastructure).

 

Just a thought.

 

Doug

 

From: Cscwg-public <cscwg-public-bounces at cabforum.org> On Behalf Of Corey
Bonnell via Cscwg-public
Sent: Friday, August 13, 2021 1:52 PM
To: cscwg-public at cabforum.org
Subject: [Cscwg-public] Question about "Certificates transported outside of
a Signing Service"

 

Hello,

I'm currently working through the CSBRs and moving the content into RFC 3647
format and I encountered a requirement that is unclear. Section 10.2.4
(Subscriber Private key) states:

 

"For Certificates transported outside of a Signing Service's secure
infrastructure, the CA or Signing 

Service MUST require, by contract, each Subscriber to generate their own
Private Key and protect 

the Private Key in accordance with Section 16.2 ("Private Key Protection")."

 

Certificates are bundled with signed binaries, so they by necessity will be
"transported outside a Signing Service's secure infrastructure". So I
believe this requirement, as written, doesn't make a lot of sense. It may be
speaking to Private keys instead of Certificates, which may make more sense,
but still isn't clear. If the Subscriber is required to generate a key pair
after migrating their private key out of a Signing Service, they won't be
able to use their current Certificate for future signing operations (since
they key pair will have changed). The net result of this reading is that key
export from a Signing Service would not be allowed.

 

It appears this language has been around for some time (it exists as-is in
v1.2). Does anyone have any insight into what this requirement is attempting
to convey?

 

Thanks,

Corey

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/cscwg-public/attachments/20210813/4d655af8/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 8424 bytes
Desc: not available
URL: <http://lists.cabforum.org/pipermail/cscwg-public/attachments/20210813/4d655af8/attachment-0001.p7s>


More information about the Cscwg-public mailing list