[Cscwg-public] VOTING BEGINS: Ballot CSC-6: Update to Subscriber Private Key Protection Requirements

Dimitris Zacharopoulos (HARICA) dzacharo at harica.gr
Mon Feb 28 17:04:30 UTC 2022


HARICA votes "no" to ballot CSC-6.



On 23/2/2022 9:13 π.μ., Dimitris Zacharopoulos (HARICA) wrote:
> HARICA votes "yes" to ballot CSC-6.
>
> On 22/2/2022 5:30 μ.μ., Ian McMillan via Cscwg-public wrote:
>>
>> Ballot CSC-6: Update to Subscriber Private Key Protection 
>> Requirements 
>> <https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwiki.cabforum.org%2Fcscwg%2Fcsc_6_-_update_to_subscriber_private_key_protection_requirements&data=04%7C01%7Cianmcm%40microsoft.com%7Cdba94eb81c164facf1b508d9f019a88d%7C72f988bf86f141af91ab2d7cd011db47%7C0%7C0%7C637804815989127861%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=chOc9LY58DjZreBftXXETeYfez6xuBrSzqZxifDxvcQ%3D&reserved=0>
>>
>> Purpose of this ballot: Update the subscriber private key protection 
>> requirements in the Baseline Requirement for the Issuance and 
>> Management of Publicly-Trusted Code Signing Certificates v2.7. The 
>> following motion has been proposed by Ian McMillan of Microsoft, and 
>> endorsed by Tim Hollebeek of DigiCert and Bruce Morton of Entrust.
>>
>> — MOTION BEGINS —
>>
>> This ballot updates the “Baseline Requirements for the Issuance and 
>> Management of Publicly‐Trusted Code Signing Certificates“ version 2.7 
>> according to the attached redline which includes:
>>
>>  1. Update section 16.3 “Subscriber Private Key Protection” to
>>     “Subscriber Private Key Protection and Verification”
>>  2. Update section 16.3 “Subscriber Private Key Protection” to
>>     include sub-sections “16.3.1 Subscriber Private Key Protection”
>>     and “16.3.2 Subscriber Private Key Verification”
>>  3. Update section 16.3 under new sub-section 16.3.1 to remove
>>     allowance of TPM key generation and software protected private
>>     key protection, and remove private key protection requirement
>>     differences between EV and non-EV Code Signing Certificates
>>  4. Update section 16.3 under new sub-section 16.3.1 to include the
>>     allowance of key generation and protection using a cloud-based
>>     key protection solution providing key generation and protection
>>     in a hardware crypto module that conforms to at least FIPS 140-2
>>     Level 2 or Common Criteria EAL 4+
>>  5. Update section 16.3 under new sub-section 16.3.2 to include
>>     verification for Code Signing Certificates' private key
>>     generation and storage in a crypto module that meets or exceeds
>>     the requirements of FIPS 140-2 level 2 or Common Criteria EAL 4+
>>     by the CAs. Include additional acceptable methods for
>>     verification including cloud-based key generation and protection
>>     solutions and a stipulation for CAs to satisfy this verification
>>     requirement with additional means specified in their CPS. Any
>>     additional means specified by a CA in their CPS, must be proposed
>>     to the CA/Browser Forum for inclusion into the acceptable methods
>>     for section 16.3.2 within 6 months of inclusion in their CPS.
>>
>> — MOTION ENDS —
>>
>> The procedure for approval of this ballot is as follows:
>>
>> Discussion (7 days)
>>
>> Start Time: 2022-02-14, 19:30 Eastern Time (US)
>>
>> End Time: not before 2022-02-21, 19:30 Eastern Time (US)
>>
>> Vote for approval (7 days)
>>
>> Start Time:  2022-02-22,10:30 Eastern Time (US)
>>
>> End Time: 2022-03-01,10:30 Eastern Time (US)
>>
>>
>> _______________________________________________
>> Cscwg-public mailing list
>> Cscwg-public at cabforum.org
>> https://lists.cabforum.org/mailman/listinfo/cscwg-public
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/cscwg-public/attachments/20220228/11fb93be/attachment.html>


More information about the Cscwg-public mailing list