[Cscwg-public] FW: Clarification on CA/B CSC-13 and TPMs

Bruce Morton Bruce.Morton at entrust.com
Thu Apr 13 16:56:55 UTC 2023 

There is work being done to draft an RFC for key attestation. There are some questions below which are for the CSCWG to address.

Thanks, Bruce.

From: Mike Ounsworth <Mike.Ounsworth at entrust.com>
Sent: Thursday, April 13, 2023 11:51 AM
To: Corey Bonnell <corey.bonnell at digicert.com>; Bruce Morton <Bruce.Morton at entrust.com>; Tomas Gustavsson <Tomas.Gustavsson at keyfactor.com>
Subject: Clarification on CA/B CSC-13 and TPMs

Hi Corey, Bruce, Tomas,

This morning we had a fantastic meeting of almost two dozen representatives from HSM and CA vendors talking about key attestation formats to automate validation of compliance with CSBRs ballot CSC-13. Full meeting notes are here<https://github.com/EntrustCorporation/draft-ounsworth-pkix-key-attestation/blob/master/meetingNotes/2023-04-13.md>.

One action item from this meeting was to request CA/B to clarify its position on TPMs with respect to CSC-13. From the discussion, it sounds like the intent of CSC-13 is to stop the practice of using software keys (p12 files or similar) for publicly-trusted code signing subscriber keys. The question was raised "What if the code signing server's motherboard has a TPM which is certified to FIPS 140-2 level 2+, or CC EAL 4+ and the subscriber key is resident to the TPM, does that count?". Another question that came up is whether the CSBRs should be future-proofed to include FIPS 140-3 since 140-2 is already deprecated.

On the call we operated under the assumption that FIPS / CC TPMs probably are within the intent of the new CSBRs, and CAs will need to implement two key attestation parsers: one for TPMs as per the TPM 2.0 specification, and one for HSMs - whatever results from this group. However we would like official confirmation from CA/B before we get too deep into this.

Thank you,
- - -
Mike Ounsworth
Software Security Architect
(pronouns: he/him)
O: +1-613-270-2873
[cid:image001.png at 01D96DF4.93D9E9C0]

[cid:image002.png at 01D96DF4.93D9E9C0]


Any email and files/attachments transmitted with it are confidential and are intended solely for the use of the individual or entity to whom they are addressed. If this message has been sent to you in error, you must not copy, distribute or disclose of the information it contains. Please notify Entrust immediately and delete the message from your system.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/cscwg-public/attachments/20230413/2007663a/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.png
Type: image/png
Size: 2663 bytes
Desc: image001.png
URL: <http://lists.cabforum.org/pipermail/cscwg-public/attachments/20230413/2007663a/attachment-0002.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image002.png
Type: image/png
Size: 23317 bytes
Desc: image002.png
URL: <http://lists.cabforum.org/pipermail/cscwg-public/attachments/20230413/2007663a/attachment-0003.png>

More information about the Cscwg-public mailing list