[Cscwg-public] VOTING BEGINS: Ballot CSC-13: Update to Subscriber Private Key Protection Requirements

Mon Apr 4 06:46:15 UTC 2022

Sectigo votes yes

De: Cscwg-public <cscwg-public-bounces at cabforum.org> En nombre de Ian McMillan via Cscwg-public
Enviado el: miércoles, 30 de marzo de 2022 19:01
Para: cscwg-public at cabforum.org
Asunto: [Cscwg-public] VOTING BEGINS: Ballot CSC-13: Update to Subscriber Private Key Protection Requirements

CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe.

Ballot CSC-13: Update to Subscriber Private Key Protection Requirements <https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwiki.cabforum.org%2Fcscwg%2Fcsc_13_-_update_to_subscriber_private_key_protection_requirements&data=04%7C01%7Cinigo.barreira%40sectigo.com%7C5e158877b20a4bb2bc2f08da126ee587%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C637842564767492665%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=JANqtbK6Vu1zB0%2BrEKymPfdC3aRUFmDx3f7VN%2Bpw7Zo%3D&reserved=0> 

Purpose of this ballot: Update the subscriber private key protection requirements in the Baseline Requirement for the Issuance and Management of Publicly-Trusted Code Signing Certificates v2.7. The following motion has been proposed by Ian McMillan of Microsoft and endorsed by Tim Hollebeek of DigiCert and Bruce Morton of Entrust.

— MOTION BEGINS — 

This ballot updates the “Baseline Requirements for the Issuance and Management of Publicly‐Trusted Code Signing Certificates“ version 2.7 according to the attached redline which includes:

*	Update section 16.3 “Subscriber Private Key Protection” to “Subscriber Private Key Protection and Verification”
*	Update section 16.3 “Subscriber Private Key Protection” to include sub-sections “16.3.1 Subscriber Private Key Protection” and “16.3.2 Subscriber Private Key Verification”
*	Update section 16.3 under new sub-section 16.3.1 to remove allowance of TPM key generation and software protected private key protection, and remove private key protection requirement differences between EV and non-EV Code Signing Certificates
*	Update section 16.3 under new sub-section 16.3.1 to include the allowance of key generation and protection using a cloud-based key protection solution providing key generation and protection in a hardware crypto module that conforms to at least FIPS 140-2 Level 2 or Common Criteria EAL 4+
*	Update section 16.3 under new sub-section 16.3.2 to include verification for Code Signing Certificates' private key generation and storage in a crypto module that meets or exceeds the requirements of FIPS 140-2 level 2 or Common Criteria EAL 4+ by the CAs. Include additional acceptable methods for verification including cloud-based key generation and protection solutions and a stipulation for CAs to satisfy this verification requirement with additional means specified in their CPS. Any additional means specified by a CA in their CPS, must be proposed to the CA/Browser Forum for inclusion into the acceptable methods for section 16.3.2 by November 15, 2022.

— MOTION ENDS —

The procedure for approval of this ballot is as follows:

Discussion (7 days) 

Start Time: 2022-03-23, 13:00 Eastern Time (US) 

End Time: 2022-03-30, 13:00 Eastern Time (US)

Vote for approval (7 days) 

Start Time: 2022-03-30, 13:00 Eastern Time (US) 

End Time: 2022-04-06, 13:00 Eastern Time (US)

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/cscwg-public/attachments/20220404/8b8b029b/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 6853 bytes
Desc: not available
URL: <http://lists.cabforum.org/pipermail/cscwg-public/attachments/20220404/8b8b029b/attachment-0001.p7s>