[Cscwg-public] DISCUSSION BEGINS: Ballot CSC-13: Update to Subscriber Private Key Protection Requirements

Doug Beattie doug.beattie at globalsign.com
Wed Mar 23 19:33:44 UTC 2022


Hi Ian,



Just one comment:  If you make the edits in para #1 of 16.2 where you
removed “EV”, does that mean that non-EV Code Signing certs must be issued
on a HSM starting “now”?  I think you want to keep EV in there for now,
but can make that edit in a release after the November effective date.



Doug









From: Cscwg-public <cscwg-public-bounces at cabforum.org> On Behalf Of Ian
McMillan via Cscwg-public
Sent: Wednesday, March 23, 2022 1:01 PM
To: cscwg-public at cabforum.org
Subject: [Cscwg-public] DISCUSSION BEGINS: Ballot CSC-13: Update to
Subscriber Private Key Protection Requirements



Ballot CSC-13: Update to Subscriber Private Key Protection Requirements
<https://wiki.cabforum.org/cscwg/csc_13_-_update_to_subscriber_private_key_p
rotection_requirements>

Purpose of this ballot: Update the subscriber private key protection
requirements in the Baseline Requirement for the Issuance and Management of
Publicly-Trusted Code Signing Certificates v2.7. The following motion has
been proposed by Ian McMillan of Microsoft and endorsed by Tim Hollebeek of
DigiCert and Bruce Morton of Entrust.



- MOTION BEGINS -



This ballot updates the “Baseline Requirements for the Issuance and
Management of Publicly‐Trusted Code Signing Certificates“ version 2.7
according to the attached redline which includes:



*	Update section 16.3 “Subscriber Private Key Protection” to
“Subscriber Private Key Protection and Verification”
*	Update section 16.3 “Subscriber Private Key Protection” to include
sub-sections “16.3.1 Subscriber Private Key Protection” and “16.3.2
Subscriber Private Key Verification”
*	Update section 16.3 under new sub-section 16.3.1 to remove allowance
of TPM key generation and software protected private key protection, and
remove private key protection requirement differences between EV and non-EV
Code Signing Certificates
*	Update section 16.3 under new sub-section 16.3.1 to include the
allowance of key generation and protection using a cloud-based key
protection solution providing key generation and protection in a hardware
crypto module that conforms to at least FIPS 140-2 Level 2 or Common
Criteria EAL 4+
*	Update section 16.3 under new sub-section 16.3.2 to include
verification for Code Signing Certificates' private key generation and
storage in a crypto module that meets or exceeds the requirements of FIPS
140-2 level 2 or Common Criteria EAL 4+ by the CAs. Include additional
acceptable methods for verification including cloud-based key generation and
protection solutions and a stipulation for CAs to satisfy this verification
requirement with additional means specified in their CPS. Any additional
means specified by a CA in their CPS, must be proposed to the CA/Browser
Forum for inclusion into the acceptable methods for section 16.3.2 by
November 15, 2022.



- MOTION ENDS -



The procedure for approval of this ballot is as follows:



Discussion (7 days)

Start Time: 2022-03-23, 13:00 Eastern Time (US)

End Time: 2022-03-30, 13:00 Eastern Time (US)



Vote for approval (7 days)

Start Time: TBD

End Time: TBD



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/cscwg-public/attachments/20220323/d9acc3f2/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 8404 bytes
Desc: not available
URL: <http://lists.cabforum.org/pipermail/cscwg-public/attachments/20220323/d9acc3f2/attachment-0001.p7s>


More information about the Cscwg-public mailing list