[Cscwg-public] Question about "Certificates transported outside of a Signing Service"

Sat Aug 14 05:43:07 UTC 2021

No, I think you've got it right Doug.

As we have heard from Microsoft's representatives, there is a use case for a Subscriber to be able to "import" a Private Key to a Signing Service and use that securely. Obviously, the Subscriber must be able to protect their local copies of the private key but it allows them to be "vendor free" and be able to migrate to another signing service, if this use case is supported.

Does that make sense?

DZ.

Aug 13, 2021 21:03:34 Doug Beattie via Cscwg-public <cscwg-public at cabforum.org>:

> But when 2 people have the private key, all hell could break lose.  I agree with Bruce, needs more work.
>  
> *From:* Cscwg-public <cscwg-public-bounces at cabforum.org> *On Behalf Of *Doug Beattie via Cscwg-public
> *Sent:* Friday, August 13, 2021 1:57 PM
> *To:* Corey Bonnell <Corey.Bonnell at digicert.com>; cscwg-public at cabforum.org
> *Subject:* Re: [Cscwg-public] Question about "Certificates transported outside of a Signing Service"
>  
> Hi Corey,
>  
> I’m not sure of the history either, but could this be trying to say:
* > If you envision needing to “take your private key” outside of the Signing Service Infrastructure, then you must have generated it and provided it to the Signing Service in the first place (because there is no way to export keys once inside of the Signing Service Infrastructure).
>  
> Just a thought.
>  
> Doug
>  
> *From:* Cscwg-public <cscwg-public-bounces at cabforum.org> *On Behalf Of *Corey Bonnell via Cscwg-public
> *Sent:* Friday, August 13, 2021 1:52 PM
> *To:* cscwg-public at cabforum.org
> *Subject:* [Cscwg-public] Question about "Certificates transported outside of a Signing Service"
>  
> Hello,
> I’m currently working through the CSBRs and moving the content into RFC 3647 format and I encountered a requirement that is unclear. Section 10.2.4 (Subscriber Private key) states:
>  
> “For Certificates transported outside of a Signing Service’s secure infrastructure, the CA or Signing
> Service MUST require, by contract, each Subscriber to generate their own Private Key and protect
> the Private Key in accordance with Section 16.2 (“Private Key Protection”).”
>  
> Certificates are bundled with signed binaries, so they by necessity will be “transported outside a Signing Service’s secure infrastructure”. So I believe this requirement, as written, doesn’t make a lot of sense. It may be speaking to Private keys instead of Certificates, which may make more sense, but still isn’t clear. If the Subscriber is required to generate a key pair after migrating their private key out of a Signing Service, they won’t be able to use their current Certificate for future signing operations (since they key pair will have changed). The net result of this reading is that key export from a Signing Service would not be allowed.
>  
> It appears this language has been around for some time (it exists as-is in v1.2). Does anyone have any insight into what this requirement is attempting to convey?
>  
> Thanks,
> Corey
>  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/cscwg-public/attachments/20210814/ff9b1688/attachment.html>