[Cscwg-public] Discussion: Proposed Ballot CSC-6: Update to Subscriber Private Key Protection Requirements
Ian McMillan
ianmcm at microsoft.com
Wed Nov 3 14:58:11 UTC 2021
Hi Folks,
I’ve found the time to write up the subscriber private key protection update under a proposed Ballot CSC-6. Please review the attached redline doc and provide feedback. Also, please let me know if you are willing to endorse this ballot.
cscwg:csc_6_-_update_to_subscriber_private_key_protection_requirements [CAB Forum Wiki]<https://wiki.cabforum.org/cscwg/csc_6_-_update_to_subscriber_private_key_protection_requirements>
Ballot CSC-6: Update to Subscriber Private Key Protection Requirements
Purpose of this ballot: Update the subscriber private key protection requirements in the Baseline Requirement for the Issuance and Management of Publicly-Trusted Code Signing Certificates v2.5. The following motion has been proposed by Ian McMillan of Microsoft, and endorsed by <Name + Org> and <Name + Org>.
- MOTION BEGINS - This ballot updates the “Baseline Requirements for the Issuance and Management of Publicly‐Trusted Code Signing Certificates“ version 2.5 according to the attached redline which includes:
* Update section 16.3 “Subscriber Private Key Protection” to “Subscriber Private Key Protection and Verification”
* Update section 16.3 “Subscriber Private Key Protection” to include sub-sections “16.3.1 Subscriber Private Key Protection” and “16.3.2 Subscriber Private Key Verification”
* Update section 16.3 under new sub-section 16.3.1 to remove allowance of TPM key generation and software protected private key protection, and remove private key protection requirement differences between EV and non-EV Code Signing Certificates
* Update section 16.3 under new sub-section 16.3.1 to include the allowance of key generation and protection using a cloud-based key protection solution providing key generation and protection in a hardware crypto module that conforms to at least FIPS 140-2 Level 2 or Common Criteria EAL 4+
* Update section 16.3 under new sub-section 16.3.2 to include verification for Code Signing Certificates' private key generation and storage in a crypto module that meets or exceeds the requirements of FIPS 140-2 level 2 or Common Criteria EAL 4+ by the CAs. Include additional acceptable methods for verification including cloud-based key generation and protection solutions and a stimpulation for CAs to satisfy this verification requirement with additional means specified in their CPS. Any additional means specified by a CA in their CPS, must be proposed to the CA/Browser Forum for inclusion into the acceptable methods for section 16.3.2 within 6 months of inclusion in their CPS.
- MOTION ENDS -
The procedure for approval of this ballot is as follows:
Discussion (7 days) Start Time: TBD End Time: TBD
Vote for approval (7 days) Start Time: TBD End Time: TBD
Thanks,
Ian
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/cscwg-public/attachments/20211103/958fbb8d/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Baseline Requirements for the Issuance and Management of Code Signing.v2.5+CSC-6_redline.docx
Type: application/vnd.openxmlformats-officedocument.wordprocessingml.document
Size: 92877 bytes
Desc: Baseline Requirements for the Issuance and Management of Code Signing.v2.5+CSC-6_redline.docx
URL: <http://lists.cabforum.org/pipermail/cscwg-public/attachments/20211103/958fbb8d/attachment-0001.docx>
More information about the Cscwg-public
mailing list