[Cscwg-public] Signing Service Discussion of 10 March 2022

Inigo Barreira Inigo.Barreira at sectigo.com
Fri Mar 11 13:10:01 UTC 2022 

And if we want to go further, you can also check this one on architectures
for (remote) signing services

 
<https://www.etsi.org/deliver/etsi_ts/119400_119499/119432/01.02.01_60/ts_11
9432v010201p.pdf> TS 119 432 - V1.2.1 - Electronic Signatures and
Infrastructures (ESI); Protocols for remote digital signature creation
(etsi.org)

 

De: Cscwg-public <cscwg-public-bounces at cabforum.org> En nombre de Dimitris
Zacharopoulos (HARICA) via Cscwg-public
Enviado el: viernes, 11 de marzo de 2022 13:40
Para: Bruce Morton via Cscwg-public <cscwg-public at cabforum.org>
Asunto: Re: [Cscwg-public] Signing Service Discussion of 10 March 2022

 

CAUTION: This email originated from outside of the organization. Do not
click links or open attachments unless you recognize the sender and know the
content is safe.

 

Following-up on the discussion about signing services, and the decisions of
previous meetings that a signing service is basically an entity that manages
private keys on behalf of Subscribers, please take a look at the latest
relevant ETSI TS available at:

*
https://www.etsi.org/deliver/etsi_ts/119400_119499/11943101/01.02.01_60/ts_1
1943101v010201p.pdf
<https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.etsi.
org%2Fdeliver%2Fetsi_ts%2F119400_119499%2F11943101%2F01.02.01_60%2Fts_119431
01v010201p.pdf&data=04%7C01%7Cinigo.barreira%40sectigo.com%7Cc7dab448d848465
49f0708da035c47bb%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C6378259927085
58789%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik
1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=3pA8rb%2BoRowQygGJr13gbbM2fu7UbPCeiXGiLHn9
Smg%3D&reserved=0> 

The responsibility to manage keys on behalf of subscribers is not to be
taken lightly as the current CSBRs do. Agreed that we can take some small
improvements to the current CSBRs but if we believe that the goal is to
define a secure environment with secure policies/practices that will make
the ecosystem safer for subscribers and ultimately Relying Parties, then we
probably need to invest more time if we want to copy good practices from
other schemes.

On the other hand, this ETSI standard is already auditable and a legal
entity could be audited and certified against ETSI TS 119 431. If a CA or a
Subscriber wants to use a signing service, that signing service could either
comply with the CSBRs and be audited against the requirements of section
17.1, or be audited against ETSI TS 119 431.

Thoughts?

Dimitris.

 

On 10/3/2022 10:00 μ.μ., Bruce Morton via Cscwg-public wrote:

Here is the text we were discussing in the CSCWG meeting today.

 

Thanks, Bruce.

 

=================================

 

Proposed Signing Service items:

1.	Signing Service is may be performed by the CA or a third party
2.	Signing Service is not a CA requirement, so is NOT a function of a
Delegated Third Party - this will limit scope
3.	Signing Service references may be removed when not required - this
will limit implied scope
4.	Signing Service is not a Subscriber, so all Private Keys are only
associated to certificate Subscriber
5.	Signing Service is not an RA, so will not receive certificate
requests from an Applicant - CA or Delegated Third Party RA will receive
certificate requests
6.	Signing Request requirements will not be defined in the CSBRs

 

 

Private key generation

1.	Signing Service must provide evidence to the CA that the private key
was created by the Signing Service. 
2.	Question - Ballot CSC-13 allows the Signing Service to use
cloud-based key generation. Can the CA can operate the cloud-based service?

 

Audit

1.	Specific compliance sections of CSBRs and NetSec should be stated in
the CSBRs as the compliance/audit scope should not be determined by the CA,
Signing Service and Auditor. Note, WebTrust for CA or ETSI EN 319 411-1
would not be in scope for Signing Service.
2.	For cloud-based key generation, is there a compliance requirement
for the cloud-based service?

 

Any email and files/attachments transmitted with it are confidential and are
intended solely for the use of the individual or entity to whom they are
addressed. If this message has been sent to you in error, you must not copy,
distribute or disclose of the information it contains. Please notify Entrust
immediately and delete the message from your system. 



_______________________________________________
Cscwg-public mailing list
Cscwg-public at cabforum.org <mailto:Cscwg-public at cabforum.org> 
https://lists.cabforum.org/mailman/listinfo/cscwg-public
<https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.cab
forum.org%2Fmailman%2Flistinfo%2Fcscwg-public&data=04%7C01%7Cinigo.barreira%
40sectigo.com%7Cc7dab448d84846549f0708da035c47bb%7C0e9c48946caa465d96604b696
8b49fb7%7C0%7C0%7C637825992708558789%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjA
wMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=OlgAADk4RHF
Y4gPFiteXun18YUXRdWuTt0X4MlnbdoI%3D&reserved=0> 

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/cscwg-public/attachments/20220311/276fd4c3/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 6853 bytes
Desc: not available
URL: <http://lists.cabforum.org/pipermail/cscwg-public/attachments/20220311/276fd4c3/attachment-0001.p7s>

More information about the Cscwg-public mailing list