[Cscwg-public] [External Sender] Re: [Discussion Period Begins] CSC-24 (v2): Timestamping Private Key Protection

Adriano Santoni adriano.santoni at staff.aruba.it
Mon Apr 8 08:35:47 UTC 2024


Hi Martijn,

I can't find (in the call minutes) a past discussion about that, however 
I assume it's fine for everyone since I haven't seen any objections.

Adriano


Il 08/04/2024 10:08, Martijn Katerbarg ha scritto:
>
> Hi Adriano,
>
> My apologies! It was in the past discussed about limiting timestamping 
> to 72 or 75 months alltogether, then not requiring the SubCAs to be 
> offline. The compromise here still allows up to 135 month timestamp 
> certificates, if the SubCAs are offline.
>
> Mind you there’s no current limit to SubCA validity periods yet, but I 
> would like to limit this to in a future ballot as well
>
> Regards,
>
> Martijn
>
> *From: *Adriano Santoni <adriano.santoni at staff.aruba.it>
> *Date: *Monday, 8 April 2024 at 09:47
> *To: *cscwg-public at cabforum.org <cscwg-public at cabforum.org>, Martijn 
> Katerbarg <martijn.katerbarg at sectigo.com>
> *Subject: *Re: [External Sender] [Cscwg-public] [Discussion Period 
> Begins] CSC-24 (v2): Timestamping Private Key Protection
>
> Hi,
>
> wouldn't it have been a little kinder to wait for an answer to the 
> question I asked on Friday 5?
>
> It may be that the answer was obvious, but it remains unclear to me 
> where that 72 months comes from.....
>
> Adriano
>
> Il 08/04/2024 09:31, Martijn Katerbarg via Cscwg-public ha scritto:
>
>     *Purpose of the Ballot*
>
>     This ballot updates the “Baseline Requirements for the Issuance
>     and Management of Publicly‐Trusted Code Signing Certificates“
>     version 3.7 in order to clarify language regarding Timestamp
>     Authority Private Key Protection. The main goals of this ballot
>     are to:
>
>      1. Require newly issued Timestamp Authority Subordinate CA
>         Private Keys to be stored in offline HSMs
>      2. Add a requirement to remove Private Keys associated with
>         Timestamp Certificates after a 18 months
>      3. Add a requirement to reject SHA-1 timestamp requests
>
>     The following motion has been proposed by Martijn Katerbarg of
>     Sectigo and endorsed by Bruce Morton of Entrust and Ian McMillan
>     of Microsoft.
>
>     *MOTION BEGINS*
>
>     This ballot updates the “Baseline Requirements for the Issuance
>     and Management of Publicly‐Trusted Code Signing Certificates”
>     ("Code Signing Baseline Requirements") based on version 3.7.
>     MODIFY the Code Signing Baseline Requirements as specified in the
>     following
>     redline:https://github.com/cabforum/code-signing/compare/d431d9104094f2b89f35ed4bf1d64b9a844e762b...84e8586846a0c836d5bccbe9ef74593358c5b421
>
>     *MOTION ENDS*
>
>     The procedure for this ballot is as follows:
>
>     Discussion (7 days)
>
>      1. Start Time: 2024-04-08 09:00 UTC
>      2. End Time: Not before 2024-04-15 17:00 UTC
>
>     Vote for approval (7 days)
>
>      1. Start Time: TBD
>      2. End Time: TBD
>
>
>
>     _______________________________________________
>
>     Cscwg-public mailing list
>
>     Cscwg-public at cabforum.org
>
>     https://lists.cabforum.org/mailman/listinfo/cscwg-public
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/cscwg-public/attachments/20240408/fc186350/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4620 bytes
Desc: Firma crittografica S/MIME
URL: <http://lists.cabforum.org/pipermail/cscwg-public/attachments/20240408/fc186350/attachment.p7s>


More information about the Cscwg-public mailing list