[Cscwg-public] [EXTERNAL] Re: Discussion: Proposed Ballot CSC-6: Update to Subscriber Private Key Protection Requirements

Tomas Gustavsson tomas.gustavsson at primekey.com
Wed Dec 8 08:04:29 UTC 2021


I wonder what a "dedicated cryptography processor" means? Does that include a standard x86 CPU, as long as the CPU is dedicated for "HSM work"?
Just checking since there are several FIPS certified HSMs on the market using standard CPUs, i.e. Intel SGX or MPC.


From: Cscwg-public <cscwg-public-bounces at cabforum.org> on behalf of Ian McMillan via Cscwg-public <cscwg-public at cabforum.org>
Sent: Tuesday, December 7, 2021 11:24 PM
To: Adriano Santoni <adriano.santoni at staff.aruba.it>; cscwg-public at cabforum.org <cscwg-public at cabforum.org>; Dimitris Zacharopoulos (HARICA) <dzacharo at harica.gr>; Bruce Morton <Bruce.Morton at entrust.com>
Subject: Re: [Cscwg-public] [EXTERNAL] Re: Discussion: Proposed Ballot CSC-6: Update to Subscriber Private Key Protection Requirements

CAUTION: External Sender - Be cautious when clicking links or opening attachments. Please email InfoSec at keyfactor.com with any questions.

Hi Folks,

Coming out of our last call, I’ve made all the updates we discussed including producing a definition for the term “hardware crypto module” (see below).

Hardware Crypto Module: A tamper-resistant device with a dedicated cryptography processor used for the specific purpose of protecting the lifecycle of cryptographic keys (generating, managing, processing, and storing).

Please see the attached redline now with all the latest updates and provide feedback and willingness to endorse the ballot.



From: Cscwg-public <cscwg-public-bounces at cabforum.org> On Behalf Of Adriano Santoni via Cscwg-public
Sent: Tuesday, November 23, 2021 8:34 AM
To: cscwg-public at cabforum.org
Subject: Re: [Cscwg-public] [EXTERNAL] Re: Discussion: Proposed Ballot CSC-6: Update to Subscriber Private Key Protection Requirements

Hi all,

I find the language in "Baseline Requirements for the Issuance and Management of Code Signing.v2.6+CSC-6_redline_v2" rather confusing, about private key protection.

It seems to me that section 16.3.1, in the added parts, only allows three options for protecting the private key effective Sep 1, 2022:

1) hosted hardware crypto module (in short "HCM")
2) cloud-based key generation and protection solution (backed by an HCM)  (I am not clear what's the difference with #1)
3) signing service

But later on, section 16.3.2 seems to allow a wider range of options, including a suitable HCM shipped to the subscriber by the CA.

Am I reading wrong?

Also, I am not clear how option #3 in §16.3.2 works:

"3.    The Subscriber uses a CA prescribed CSP and a suitable hardware module combination for the key pair generation and storage;"

Anybody willing to explain?


Il 23/11/2021 11:07, Dimitris Zacharopoulos (HARICA) via Cscwg-public ha scritto:

On 18/11/2021 7:03 μ.μ., Dimitris Zacharopoulos (HARICA) via Cscwg-public wrote:

Ok, so you are thinking of a Subscriber that owns an HSM and gets an IT audit that has an audit report that asserts that all Keys associated with Code Signing Certificates are generated in an on-prem certified HSM. Is this what this method is supposed to cover?

After our recent meeting, we agreed to tweak the language of 4. to cover this use case described by Bruce. I recommend changing

"4.    The Subscriber provides a suitable IT audit indicating that its operating environment achieves a level of security specified in section 16.3.1"


"4.    The Subscriber provides an internal or external IT audit indicating that it is only using a suitable hardware module as specified in section 16.3.1 to generate keys pairs to be associated with Code Signing Certificates"

I also noticed that we don't have consistency among all listed options. Some options just say " suitable hardware module", others point to 16.3.1 and others say both. We could discuss at our next call or someone could take a stab at it and try to use consistent language.



Cscwg-public mailing list

Cscwg-public at cabforum.org<mailto:Cscwg-public at cabforum.org>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/cscwg-public/attachments/20211208/2fdf927f/attachment.html>

More information about the Cscwg-public mailing list