[Cscwg-public] [EXTERNAL] Re: Discussion: Proposed Ballot CSC-6: Update to Subscriber Private Key Protection Requirements

Dimitris Zacharopoulos (HARICA) dzacharo at harica.gr
Tue Nov 23 10:07:23 UTC 2021



On 18/11/2021 7:03 μ.μ., Dimitris Zacharopoulos (HARICA) via 
Cscwg-public wrote:
>
> Ok, so you are thinking of a Subscriber that owns an HSM and gets an 
> IT audit that has an audit report that asserts that all Keys 
> associated with Code Signing Certificates are generated in an on-prem 
> certified HSM. Is this what this method is supposed to cover?

After our recent meeting, we agreed to tweak the language of 4. to cover 
this use case described by Bruce. I recommend changing

/"4.    The Subscriber provides a suitable IT audit indicating that its 
operating environment achieves a level of security specified in section 
16.3.1"/

to

/"4.    The Subscriber provides an internal or external IT audit 
indicating that it is only using a suitable hardware module as specified 
in section 16.3.1 to generate keys pairs to be associated with Code 
Signing Certificates"/

I also noticed that we don't have consistency among all listed options. 
Some options just say "suitable hardware module", others point to 16.3.1 
and others say both. We could discuss at our next call or someone could 
take a stab at it and try to use consistent language.


Thanks,
Dimitris.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/cscwg-public/attachments/20211123/ff9f87f7/attachment-0001.html>


More information about the Cscwg-public mailing list