[Cscwg-public] VOTING BEGINS: Ballot CSC-13: Update to Subscriber Private Key Protection Requirements

[Dimitris Zacharopoulos (HARICA)]

HARICA votes "yes" to ballot CSC-13.

On 30/3/2022 8:01 μ.μ., Ian McMillan via Cscwg-public wrote:
>
> Ballot CSC-13: Update to Subscriber Private Key Protection 
> Requirements 
> <https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwiki.cabforum.org%2Fcscwg%2Fcsc_13_-_update_to_subscriber_private_key_protection_requirements&data=04%7C01%7Cianmcm%40microsoft.com%7C31d96159f5ed42ea367808da0ceebaa5%7C72f988bf86f141af91ab2d7cd011db47%7C0%7C0%7C637836517169400423%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=W9JW6jbaoIP9q5eo5kI9KtC%2FbyLkrPw4%2BknyEac9Fa8%3D&reserved=0>
>
> Purpose of this ballot: Update the subscriber private key protection 
> requirements in the Baseline Requirement for the Issuance and 
> Management of Publicly-Trusted Code Signing Certificates v2.7. The 
> following motion has been proposed by Ian McMillan of Microsoft and 
> endorsed by Tim Hollebeek of DigiCert and Bruce Morton of Entrust.
>
> — MOTION BEGINS —
>
> This ballot updates the “Baseline Requirements for the Issuance and 
> Management of Publicly‐Trusted Code Signing Certificates“ version 2.7 
> according to the attached redline which includes:
>
>   * Update section 16.3 “Subscriber Private Key Protection” to
>     “Subscriber Private Key Protection and Verification”
>   * Update section 16.3 “Subscriber Private Key Protection” to include
>     sub-sections “16.3.1 Subscriber Private Key Protection” and
>     “16.3.2 Subscriber Private Key Verification”
>   * Update section 16.3 under new sub-section 16.3.1 to remove
>     allowance of TPM key generation and software protected private key
>     protection, and remove private key protection requirement
>     differences between EV and non-EV Code Signing Certificates
>   * Update section 16.3 under new sub-section 16.3.1 to include the
>     allowance of key generation and protection using a cloud-based key
>     protection solution providing key generation and protection in a
>     hardware crypto module that conforms to at least FIPS 140-2 Level
>     2 or Common Criteria EAL 4+
>   * Update section 16.3 under new sub-section 16.3.2 to include
>     verification for Code Signing Certificates' private key generation
>     and storage in a crypto module that meets or exceeds the
>     requirements of FIPS 140-2 level 2 or Common Criteria EAL 4+ by
>     the CAs. Include additional acceptable methods for verification
>     including cloud-based key generation and protection solutions and
>     a stipulation for CAs to satisfy this verification requirement
>     with additional means specified in their CPS. Any additional means
>     specified by a CA in their CPS, must be proposed to the CA/Browser
>     Forum for inclusion into the acceptable methods for section 16.3.2
>     by November 15, 2022.
>
> — MOTION ENDS —
>
> The procedure for approval of this ballot is as follows:
>
> Discussion (7 days)
>
> Start Time: 2022-03-23, 13:00 Eastern Time (US)
>
> End Time: 2022-03-30, 13:00 Eastern Time (US)
>
> Vote for approval (7 days)
>
> Start Time: 2022-03-30, 13:00 Eastern Time (US)
>
> End Time: 2022-04-06, 13:00 Eastern Time (US)
>
>
> _______________________________________________
> Cscwg-public mailing list
> Cscwg-public at cabforum.org
> https://lists.cabforum.org/mailman/listinfo/cscwg-public
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/cscwg-public/attachments/20220404/3444102f/attachment.html>