[Cscwg-public] VOTING BEGINS: Ballot CSC-13: Update to Subscriber Private Key Protection Requirements
Wojciech Trapczyński
wtrapczynski at certum.pl
Wed Apr 6 08:49:52 UTC 2022
Certum votes YES to ballot CSC-13.
On 30/03/2022 19:01, Ian McMillan via Cscwg-public wrote:
>
> Ballot CSC-13: Update to Subscriber Private Key Protection
> Requirements
> <https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwiki.cabforum.org%2Fcscwg%2Fcsc_13_-_update_to_subscriber_private_key_protection_requirements&data=04%7C01%7Cianmcm%40microsoft.com%7C31d96159f5ed42ea367808da0ceebaa5%7C72f988bf86f141af91ab2d7cd011db47%7C0%7C0%7C637836517169400423%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=W9JW6jbaoIP9q5eo5kI9KtC%2FbyLkrPw4%2BknyEac9Fa8%3D&reserved=0>
>
> Purpose of this ballot: Update the subscriber private key protection
> requirements in the Baseline Requirement for the Issuance and
> Management of Publicly-Trusted Code Signing Certificates v2.7. The
> following motion has been proposed by Ian McMillan of Microsoft and
> endorsed by Tim Hollebeek of DigiCert and Bruce Morton of Entrust.
>
> — MOTION BEGINS —
>
> This ballot updates the “Baseline Requirements for the Issuance and
> Management of Publicly‐Trusted Code Signing Certificates“ version 2.7
> according to the attached redline which includes:
>
> * Update section 16.3 “Subscriber Private Key Protection” to
> “Subscriber Private Key Protection and Verification”
> * Update section 16.3 “Subscriber Private Key Protection” to include
> sub-sections “16.3.1 Subscriber Private Key Protection” and
> “16.3.2 Subscriber Private Key Verification”
> * Update section 16.3 under new sub-section 16.3.1 to remove
> allowance of TPM key generation and software protected private key
> protection, and remove private key protection requirement
> differences between EV and non-EV Code Signing Certificates
> * Update section 16.3 under new sub-section 16.3.1 to include the
> allowance of key generation and protection using a cloud-based key
> protection solution providing key generation and protection in a
> hardware crypto module that conforms to at least FIPS 140-2 Level
> 2 or Common Criteria EAL 4+
> * Update section 16.3 under new sub-section 16.3.2 to include
> verification for Code Signing Certificates' private key generation
> and storage in a crypto module that meets or exceeds the
> requirements of FIPS 140-2 level 2 or Common Criteria EAL 4+ by
> the CAs. Include additional acceptable methods for verification
> including cloud-based key generation and protection solutions and
> a stipulation for CAs to satisfy this verification requirement
> with additional means specified in their CPS. Any additional means
> specified by a CA in their CPS, must be proposed to the CA/Browser
> Forum for inclusion into the acceptable methods for section 16.3.2
> by November 15, 2022.
>
> — MOTION ENDS —
>
> The procedure for approval of this ballot is as follows:
>
> Discussion (7 days)
>
> Start Time: 2022-03-23, 13:00 Eastern Time (US)
>
> End Time: 2022-03-30, 13:00 Eastern Time (US)
>
> Vote for approval (7 days)
>
> Start Time: 2022-03-30, 13:00 Eastern Time (US)
>
> End Time: 2022-04-06, 13:00 Eastern Time (US)
>
>
> _______________________________________________
> Cscwg-public mailing list
> Cscwg-public at cabforum.org
> https://lists.cabforum.org/mailman/listinfo/cscwg-public
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/cscwg-public/attachments/20220406/850039c1/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3765 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.cabforum.org/pipermail/cscwg-public/attachments/20220406/850039c1/attachment-0001.p7s>
More information about the Cscwg-public
mailing list