[Cscwg-public] [EXTERNAL] Re: Discussion: Proposed Ballot CSC-6: Update to Subscriber Private Key Protection Requirements
Adriano Santoni
adriano.santoni at staff.aruba.it
Tue Nov 23 13:33:44 UTC 2021
Hi all,
I find the language in "Baseline Requirements for the Issuance and
Management of Code Signing.v2.6+CSC-6_redline_v2" rather confusing,
about private key protection.
It seems to me that section 16.3.1, in the added parts, only allows
three options for protecting the private key effective Sep 1, 2022:
1) hosted hardware crypto module (in short "HCM")
2) cloud-based key generation and protection solution (backed by an
HCM) (I am not clear what's the difference with #1)
3) signing service
But later on, section 16.3.2 seems to allow a wider range of options,
including a suitable HCM shipped to the subscriber by the CA.
Am I reading wrong?
Also, I am not clear how option #3 in §16.3.2 works:
"3. The Subscriber uses a CA prescribed CSP and a suitable hardware
module combination for the key pair generation and storage;"
Anybody willing to explain?
Adriano
Il 23/11/2021 11:07, Dimitris Zacharopoulos (HARICA) via Cscwg-public ha
scritto:
>
>
> On 18/11/2021 7:03 μ.μ., Dimitris Zacharopoulos (HARICA) via
> Cscwg-public wrote:
>>
>> Ok, so you are thinking of a Subscriber that owns an HSM and gets an
>> IT audit that has an audit report that asserts that all Keys
>> associated with Code Signing Certificates are generated in an on-prem
>> certified HSM. Is this what this method is supposed to cover?
>
> After our recent meeting, we agreed to tweak the language of 4. to
> cover this use case described by Bruce. I recommend changing
>
> /"4. The Subscriber provides a suitable IT audit indicating that
> its operating environment achieves a level of security specified in
> section 16.3.1"/
>
> to
>
> /"4. The Subscriber provides an internal or external IT audit
> indicating that it is only using a suitable hardware module as
> specified in section 16.3.1 to generate keys pairs to be associated
> with Code Signing Certificates"/
>
> I also noticed that we don't have consistency among all listed
> options. Some options just say "suitable hardware module", others
> point to 16.3.1 and others say both. We could discuss at our next call
> or someone could take a stab at it and try to use consistent language.
>
>
> Thanks,
> Dimitris.
>
>
> _______________________________________________
> Cscwg-public mailing list
> Cscwg-public at cabforum.org
> https://lists.cabforum.org/mailman/listinfo/cscwg-public
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/cscwg-public/attachments/20211123/9479b014/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4557 bytes
Desc: Firma crittografica S/MIME
URL: <http://lists.cabforum.org/pipermail/cscwg-public/attachments/20211123/9479b014/attachment-0001.p7s>
More information about the Cscwg-public
mailing list