[Cscwg-public] Signing Service Discussion of 10 March 2022

Dimitris Zacharopoulos (HARICA) dzacharo at harica.gr
Fri Mar 11 12:39:57 UTC 2022

Following-up on the discussion about signing services, and the decisions 
of previous meetings that a signing service is basically an entity that 
manages private keys on behalf of Subscribers, please take a look at the 
latest relevant ETSI TS available at:

  * https://www.etsi.org/deliver/etsi_ts/119400_119499/11943101/01.02.01_60/ts_11943101v010201p.pdf

The responsibility to manage keys on behalf of subscribers is not to be 
taken lightly as the current CSBRs do. Agreed that we can take some 
small improvements to the current CSBRs but if we believe that the goal 
is to define a secure environment with secure policies/practices that 
will make the ecosystem safer for subscribers and ultimately Relying 
Parties, then we probably need to invest more time if we want to copy 
good practices from other schemes.

On the other hand, this ETSI standard is already auditable and a legal 
entity could be audited and certified against ETSI TS 119 431. If a CA 
or a Subscriber wants to use a signing service, that signing service 
could either comply with the CSBRs and be audited against the 
requirements of section 17.1, or be audited against ETSI TS 119 431.



On 10/3/2022 10:00 μ.μ., Bruce Morton via Cscwg-public wrote:
> Here is the text we were discussing in the CSCWG meeting today.
> Thanks, Bruce.
> =================================
> Proposed Signing Service items:
>   * Signing Service is may be performed by the CA or a third party
>   * Signing Service is not a CA requirement, so is NOT a function of a
>     Delegated Third Party – this will limit scope
>   * Signing Service references may be removed when not required - this
>     will limit implied scope
>   * Signing Service is not a Subscriber, so all Private Keys are only
>     associated to certificate Subscriber
>   * Signing Service is not an RA, so will not receive certificate
>     requests from an Applicant – CA or Delegated Third Party RA will
>     receive certificate requests
>   * Signing Request requirements will not be defined in the CSBRs
> Private key generation
>   * Signing Service must provide evidence to the CA that the private
>     key was created by the Signing Service.
>   * Question - Ballot CSC-13 allows the Signing Service to use
>     cloud-based key generation. Can the CA can operate the cloud-based
>     service?
> Audit
>   * Specific compliance sections of CSBRs and NetSec should be stated
>     in the CSBRs as the compliance/audit scope should not be
>     determined by the CA, Signing Service and Auditor. Note, WebTrust
>     for CA or ETSI EN 319 411-1 would not be in scope for Signing Service.
>   * For cloud-based key generation, is there a compliance requirement
>     for the cloud-based service?
> /Any email and files/attachments transmitted with it are confidential 
> and are intended solely for the use of the individual or entity to 
> whom they are addressed. If this message has been sent to you in 
> error, you must not copy, distribute or disclose of the information it 
> contains. _Please notify Entrust immediately_ and delete the message 
> from your system./
> _______________________________________________
> Cscwg-public mailing list
> Cscwg-public at cabforum.org
> https://lists.cabforum.org/mailman/listinfo/cscwg-public
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/cscwg-public/attachments/20220311/4f573455/attachment.html>

More information about the Cscwg-public mailing list