[Cscwg-public] [EXTERNAL] Re: Discussion: Proposed Ballot CSC-6: Update to Subscriber Private Key Protection Requirements

Adriano Santoni adriano.santoni at staff.aruba.it
Tue Nov 23 13:33:44 UTC 2021

Hi all,

I find the language in "Baseline Requirements for the Issuance and 
Management of Code Signing.v2.6+CSC-6_redline_v2" rather confusing, 
about private key protection.

It seems to me that section 16.3.1, in the added parts, only allows 
three options for protecting the private key effective Sep 1, 2022:

1) hosted hardware crypto module (in short "HCM")
2) cloud-based key generation and protection solution (backed by an 
HCM)  (I am not clear what's the difference with #1)
3) signing service

But later on, section 16.3.2 seems to allow a wider range of options, 
including a suitable HCM shipped to the subscriber by the CA.

Am I reading wrong?

Also, I am not clear how option #3 in §16.3.2 works:

"3.    The Subscriber uses a CA prescribed CSP and a suitable hardware 
module combination for the key pair generation and storage;"

Anybody willing to explain?


Il 23/11/2021 11:07, Dimitris Zacharopoulos (HARICA) via Cscwg-public ha 
> On 18/11/2021 7:03 μ.μ., Dimitris Zacharopoulos (HARICA) via 
> Cscwg-public wrote:
>> Ok, so you are thinking of a Subscriber that owns an HSM and gets an 
>> IT audit that has an audit report that asserts that all Keys 
>> associated with Code Signing Certificates are generated in an on-prem 
>> certified HSM. Is this what this method is supposed to cover?
> After our recent meeting, we agreed to tweak the language of 4. to 
> cover this use case described by Bruce. I recommend changing
> /"4.    The Subscriber provides a suitable IT audit indicating that 
> its operating environment achieves a level of security specified in 
> section 16.3.1"/
> to
> /"4.    The Subscriber provides an internal or external IT audit 
> indicating that it is only using a suitable hardware module as 
> specified in section 16.3.1 to generate keys pairs to be associated 
> with Code Signing Certificates"/
> I also noticed that we don't have consistency among all listed 
> options. Some options just say "suitable hardware module", others 
> point to 16.3.1 and others say both. We could discuss at our next call 
> or someone could take a stab at it and try to use consistent language.
> Thanks,
> Dimitris.
> _______________________________________________
> Cscwg-public mailing list
> Cscwg-public at cabforum.org
> https://lists.cabforum.org/mailman/listinfo/cscwg-public
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/cscwg-public/attachments/20211123/9479b014/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4557 bytes
Desc: Firma crittografica S/MIME
URL: <http://lists.cabforum.org/pipermail/cscwg-public/attachments/20211123/9479b014/attachment-0001.p7s>

More information about the Cscwg-public mailing list