[Cscwg-public] FW: questions of use of IP addresses for codesign timestamp.

Dean Coclin dean.coclin at digicert.com
Wed Oct 6 13:33:58 UTC 2021


Please see post below...

-----Original Message-----
From: 伊藤 忠彦 <tadahi-ito at secom.co.jp>
Sent: Wednesday, October 6, 2021 5:41 AM
To: Microsoft <msroot at microsoft.com>; Dean Coclin <dean.coclin at digicert.com>
Cc: 加毛 寿 <h-kamo at secom.co.jp>
Subject: questions of use of IP addresses for codesign timestamp.

Hi MS root Program, Dean.

This is mainly a question to MS, but I am also sending Dean as a chair of
CSCWG.
If necessary, please share this email with the CSCWG member also.

I am currently investigating legal aspect of logging and *use* of IP
addresses of timestamp requests used for codesign, before turning it into
SECOM's legal check.

I need to clarify following questions before regal checks, so could you
clarify following questions?

Q1) How are those IP address will be used?
Q2) Can we describe that usage to CP or user agreement document?
Q3) Has MS already published materials explaining those usage? If not, are
there any plan to publish it in the future?

---- Descriptions of above questions. ----

Q1) If we provide the recorded IP address to another organization, the
procedure may be treated as "provision of personal information to a overseas
third party". In that case, the consent of the IP address owner may be
required (If we use it for revocation only without identifying an individual
etc., consent may not be necessary, but legal check is required).
We believe that we cannot get agreement from criminals, and need to fend off
with the following exceptions:
a) For example, if this IP address is used for criminal investigations and
SECOM can confirmed to be used for a criminal investigation, it can be
treated as an exception (e.g. by a request for disclosure from the judicial
authorities).
Note that there is some possibility that request from US organization might
be treated differently according to GDPR.
b) Consent is not necessary if consent would damage other user’s t life,
body, and property.
c) if Request were made from Japanese organization, we might be able to use
other exception, but even that case, we should disclose usage in some
granularity.
In order to treat IP addresses as an exception above, we need to know how
this IP address will be used.
So, could you tell us how to use those IP address?

Q2) I think that it is necessary to describe the usage in our CP or terms of
use, but could you tell me which granularity would be acceptable for MS or
CSCWG?
(I'm asking that question because I know that intelligence information could
be hard to disclose.)

Q3) If there is a public article explaining the use of those IP address, the
process of our company could be much easier. Are there any public
information, or there is a plan to publish in the future, could you share
that information?

Regards Tadahiko Ito

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4916 bytes
Desc: not available
URL: <http://lists.cabforum.org/pipermail/cscwg-public/attachments/20211006/4139febd/attachment-0001.p7s>


More information about the Cscwg-public mailing list