[Cscwg-public] VOTING BEGINS: Ballot CSC-6: Update to Subscriber Private Key Protection Requirements
Dimitris Zacharopoulos (HARICA)
dzacharo at harica.gr
Wed Feb 23 07:13:41 UTC 2022
HARICA votes "yes" to ballot CSC-6.
On 22/2/2022 5:30 μ.μ., Ian McMillan via Cscwg-public wrote:
>
> Ballot CSC-6: Update to Subscriber Private Key Protection Requirements
> <https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwiki.cabforum.org%2Fcscwg%2Fcsc_6_-_update_to_subscriber_private_key_protection_requirements&data=04%7C01%7Cianmcm%40microsoft.com%7Cdba94eb81c164facf1b508d9f019a88d%7C72f988bf86f141af91ab2d7cd011db47%7C0%7C0%7C637804815989127861%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=chOc9LY58DjZreBftXXETeYfez6xuBrSzqZxifDxvcQ%3D&reserved=0>
>
> Purpose of this ballot: Update the subscriber private key protection
> requirements in the Baseline Requirement for the Issuance and
> Management of Publicly-Trusted Code Signing Certificates v2.7. The
> following motion has been proposed by Ian McMillan of Microsoft, and
> endorsed by Tim Hollebeek of DigiCert and Bruce Morton of Entrust.
>
> — MOTION BEGINS —
>
> This ballot updates the “Baseline Requirements for the Issuance and
> Management of Publicly‐Trusted Code Signing Certificates“ version 2.7
> according to the attached redline which includes:
>
> 1. Update section 16.3 “Subscriber Private Key Protection” to
> “Subscriber Private Key Protection and Verification”
> 2. Update section 16.3 “Subscriber Private Key Protection” to include
> sub-sections “16.3.1 Subscriber Private Key Protection” and
> “16.3.2 Subscriber Private Key Verification”
> 3. Update section 16.3 under new sub-section 16.3.1 to remove
> allowance of TPM key generation and software protected private key
> protection, and remove private key protection requirement
> differences between EV and non-EV Code Signing Certificates
> 4. Update section 16.3 under new sub-section 16.3.1 to include the
> allowance of key generation and protection using a cloud-based key
> protection solution providing key generation and protection in a
> hardware crypto module that conforms to at least FIPS 140-2 Level
> 2 or Common Criteria EAL 4+
> 5. Update section 16.3 under new sub-section 16.3.2 to include
> verification for Code Signing Certificates' private key generation
> and storage in a crypto module that meets or exceeds the
> requirements of FIPS 140-2 level 2 or Common Criteria EAL 4+ by
> the CAs. Include additional acceptable methods for verification
> including cloud-based key generation and protection solutions and
> a stipulation for CAs to satisfy this verification requirement
> with additional means specified in their CPS. Any additional means
> specified by a CA in their CPS, must be proposed to the CA/Browser
> Forum for inclusion into the acceptable methods for section 16.3.2
> within 6 months of inclusion in their CPS.
>
> — MOTION ENDS —
>
> The procedure for approval of this ballot is as follows:
>
> Discussion (7 days)
>
> Start Time: 2022-02-14, 19:30 Eastern Time (US)
>
> End Time: not before 2022-02-21, 19:30 Eastern Time (US)
>
> Vote for approval (7 days)
>
> Start Time: 2022-02-22,10:30 Eastern Time (US)
>
> End Time: 2022-03-01,10:30 Eastern Time (US)
>
>
> _______________________________________________
> Cscwg-public mailing list
> Cscwg-public at cabforum.org
> https://lists.cabforum.org/mailman/listinfo/cscwg-public
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/cscwg-public/attachments/20220223/4085fba0/attachment-0001.html>
More information about the Cscwg-public
mailing list