[Cscwg-public] VOTING BEGINS: Ballot CSC-6: Update to Subscriber Private Key Protection Requirements
ianmcm at microsoft.com
Mon Feb 28 19:05:25 UTC 2022
In light of needs for revisions to this ballot’s content, Microsoft now votes NO on CSC-6.
From: Ian McMillan <ianmcm at microsoft.com>
Sent: Tuesday, February 22, 2022 4:29 PM
To: Ian McMillan <ianmcm at microsoft.com>; cscwg-public at cabforum.org
Subject: RE: VOTING BEGINS: Ballot CSC-6: Update to Subscriber Private Key Protection Requirements
Microsoft votes, YES, on CSC-6.
From: Cscwg-public <cscwg-public-bounces at cabforum.org<mailto:cscwg-public-bounces at cabforum.org>> On Behalf Of Ian McMillan via Cscwg-public
Sent: Tuesday, February 22, 2022 10:30 AM
To: cscwg-public at cabforum.org<mailto:cscwg-public at cabforum.org>
Subject: [EXTERNAL] [Cscwg-public] VOTING BEGINS: Ballot CSC-6: Update to Subscriber Private Key Protection Requirements
Ballot CSC-6: Update to Subscriber Private Key Protection Requirements<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwiki.cabforum.org%2Fcscwg%2Fcsc_6_-_update_to_subscriber_private_key_protection_requirements&data=04%7C01%7Cianmcm%40microsoft.com%7Cc582a9e0790442c6c27108d9f64a4669%7C72f988bf86f141af91ab2d7cd011db47%7C0%7C0%7C637811621137291417%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=iHYdsY9W%2Bg68aQrfcZNC%2BvwQfpRQw3ImDWq8beVLz%2FA%3D&reserved=0>
Purpose of this ballot: Update the subscriber private key protection requirements in the Baseline Requirement for the Issuance and Management of Publicly-Trusted Code Signing Certificates v2.7. The following motion has been proposed by Ian McMillan of Microsoft, and endorsed by Tim Hollebeek of DigiCert and Bruce Morton of Entrust.
- MOTION BEGINS -
This ballot updates the “Baseline Requirements for the Issuance and Management of Publicly‐Trusted Code Signing Certificates“ version 2.7 according to the attached redline which includes:
1. Update section 16.3 “Subscriber Private Key Protection” to “Subscriber Private Key Protection and Verification”
2. Update section 16.3 “Subscriber Private Key Protection” to include sub-sections “16.3.1 Subscriber Private Key Protection” and “16.3.2 Subscriber Private Key Verification”
3. Update section 16.3 under new sub-section 16.3.1 to remove allowance of TPM key generation and software protected private key protection, and remove private key protection requirement differences between EV and non-EV Code Signing Certificates
4. Update section 16.3 under new sub-section 16.3.1 to include the allowance of key generation and protection using a cloud-based key protection solution providing key generation and protection in a hardware crypto module that conforms to at least FIPS 140-2 Level 2 or Common Criteria EAL 4+
5. Update section 16.3 under new sub-section 16.3.2 to include verification for Code Signing Certificates' private key generation and storage in a crypto module that meets or exceeds the requirements of FIPS 140-2 level 2 or Common Criteria EAL 4+ by the CAs. Include additional acceptable methods for verification including cloud-based key generation and protection solutions and a stipulation for CAs to satisfy this verification requirement with additional means specified in their CPS. Any additional means specified by a CA in their CPS, must be proposed to the CA/Browser Forum for inclusion into the acceptable methods for section 16.3.2 within 6 months of inclusion in their CPS.
- MOTION ENDS -
The procedure for approval of this ballot is as follows:
Discussion (7 days)
Start Time: 2022-02-14, 19:30 Eastern Time (US)
End Time: not before 2022-02-21, 19:30 Eastern Time (US)
Vote for approval (7 days)
Start Time: 2022-02-22,10:30 Eastern Time (US)
End Time: 2022-03-01,10:30 Eastern Time (US)
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Cscwg-public