[Cscwg-public] [EXTERNAL] Re: Discussion: Proposed Ballot CSC-6: Update to Subscriber Private Key Protection Requirements
Dimitris Zacharopoulos (HARICA)
dzacharo at harica.gr
Tue Nov 23 10:07:23 UTC 2021
On 18/11/2021 7:03 μ.μ., Dimitris Zacharopoulos (HARICA) via
Cscwg-public wrote:
>
> Ok, so you are thinking of a Subscriber that owns an HSM and gets an
> IT audit that has an audit report that asserts that all Keys
> associated with Code Signing Certificates are generated in an on-prem
> certified HSM. Is this what this method is supposed to cover?
After our recent meeting, we agreed to tweak the language of 4. to cover
this use case described by Bruce. I recommend changing
/"4. The Subscriber provides a suitable IT audit indicating that its
operating environment achieves a level of security specified in section
16.3.1"/
to
/"4. The Subscriber provides an internal or external IT audit
indicating that it is only using a suitable hardware module as specified
in section 16.3.1 to generate keys pairs to be associated with Code
Signing Certificates"/
I also noticed that we don't have consistency among all listed options.
Some options just say "suitable hardware module", others point to 16.3.1
and others say both. We could discuss at our next call or someone could
take a stab at it and try to use consistent language.
Thanks,
Dimitris.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/cscwg-public/attachments/20211123/ff9f87f7/attachment-0001.html>
More information about the Cscwg-public
mailing list