[Cscwg-public] [EXTERNAL] FW: questions of use of IP addresses for codesign timestamp.

Ian McMillan ianmcm at microsoft.com
Mon Nov 8 22:02:32 UTC 2021


I'm assuming this is related to the previous requirements in the baseline requirements for code signing certificates in section 15. Please let me know if not.

If so, part of the CSC-9 ballot (v2.4 of the requirements) removed the requirement for IP collection for TSA's data records, and you can see in the current version of the requirements (v2.6) in section 15.2 is also not calling for the collection of IP addresses.


-----Original Message-----
From: Cscwg-public <cscwg-public-bounces at cabforum.org> On Behalf Of Dean Coclin via Cscwg-public
Sent: Wednesday, October 6, 2021 9:34 AM
To: cscwg-public at cabforum.org
Subject: [EXTERNAL] [Cscwg-public] FW: questions of use of IP addresses for codesign timestamp.

Please see post below...

-----Original Message-----
From: 伊藤 忠彦 <tadahi-ito at secom.co.jp>
Sent: Wednesday, October 6, 2021 5:41 AM
To: Microsoft <msroot at microsoft.com>; Dean Coclin <dean.coclin at digicert.com>
Cc: 加毛 寿 <h-kamo at secom.co.jp>
Subject: questions of use of IP addresses for codesign timestamp.

Hi MS root Program, Dean.

This is mainly a question to MS, but I am also sending Dean as a chair of CSCWG.
If necessary, please share this email with the CSCWG member also.

I am currently investigating legal aspect of logging and *use* of IP addresses of timestamp requests used for codesign, before turning it into SECOM's legal check.

I need to clarify following questions before regal checks, so could you clarify following questions?

Q1) How are those IP address will be used?
Q2) Can we describe that usage to CP or user agreement document?
Q3) Has MS already published materials explaining those usage? If not, are there any plan to publish it in the future?

---- Descriptions of above questions. ----

Q1) If we provide the recorded IP address to another organization, the procedure may be treated as "provision of personal information to a overseas third party". In that case, the consent of the IP address owner may be required (If we use it for revocation only without identifying an individual etc., consent may not be necessary, but legal check is required).
We believe that we cannot get agreement from criminals, and need to fend off with the following exceptions:
a) For example, if this IP address is used for criminal investigations and SECOM can confirmed to be used for a criminal investigation, it can be treated as an exception (e.g. by a request for disclosure from the judicial authorities).
Note that there is some possibility that request from US organization might be treated differently according to GDPR.
b) Consent is not necessary if consent would damage other user’s t life, body, and property.
c) if Request were made from Japanese organization, we might be able to use other exception, but even that case, we should disclose usage in some granularity.
In order to treat IP addresses as an exception above, we need to know how this IP address will be used.
So, could you tell us how to use those IP address?

Q2) I think that it is necessary to describe the usage in our CP or terms of use, but could you tell me which granularity would be acceptable for MS or CSCWG?
(I'm asking that question because I know that intelligence information could be hard to disclose.)

Q3) If there is a public article explaining the use of those IP address, the process of our company could be much easier. Are there any public information, or there is a plan to publish in the future, could you share that information?

Regards Tadahiko Ito

More information about the Cscwg-public mailing list