[Cscwg-public] Signing Service Discussion of 10 March 2022

[Bruce Morton]

Here is the text we were discussing in the CSCWG meeting today.

Thanks, Bruce.

=================================

Proposed Signing Service items:

  *   Signing Service is may be performed by the CA or a third party
  *   Signing Service is not a CA requirement, so is NOT a function of a Delegated Third Party - this will limit scope
  *   Signing Service references may be removed when not required - this will limit implied scope
  *   Signing Service is not a Subscriber, so all Private Keys are only associated to certificate Subscriber
  *   Signing Service is not an RA, so will not receive certificate requests from an Applicant - CA or Delegated Third Party RA will receive certificate requests
  *   Signing Request requirements will not be defined in the CSBRs


Private key generation

  *   Signing Service must provide evidence to the CA that the private key was created by the Signing Service.
  *   Question - Ballot CSC-13 allows the Signing Service to use cloud-based key generation. Can the CA can operate the cloud-based service?

Audit

  *   Specific compliance sections of CSBRs and NetSec should be stated in the CSBRs as the compliance/audit scope should not be determined by the CA, Signing Service and Auditor. Note, WebTrust for CA or ETSI EN 319 411-1 would not be in scope for Signing Service.
  *   For cloud-based key generation, is there a compliance requirement for the cloud-based service?

Any email and files/attachments transmitted with it are confidential and are intended solely for the use of the individual or entity to whom they are addressed. If this message has been sent to you in error, you must not copy, distribute or disclose of the information it contains. Please notify Entrust immediately and delete the message from your system.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/cscwg-public/attachments/20220310/d09245f9/attachment.html>