[Cscwg-public] [Discussion Period Begins] CSC-24 (v2): Timestamping Private Key Protection

Fri Apr 12 14:30:18 UTC 2024

Hi Martijn,

Looking at the purpose of the ballot, the goal is to require newly issued [..] Private Keys to be stored in offline HSMs.

The proposed change scopes this change to [keys related to] Root CA certificates and new Subordinate CA certificates

I would recommend to scope this change to Private Keys generated after the effective date, instead of linking it to the issuing date of the Subordinate CA Certificate for those keys. 

For example if a CA issues a new Subordinate CA Certificate after this date, with an existing Private Key, then the related Private Key would need to be moved to an offline state. I think the intention is only for new keys to follow this requirement.

Christophe

From: Cscwg-public <cscwg-public-bounces at cabforum.org> On Behalf Of Martijn Katerbarg via Cscwg-public
Sent: Monday, April 8, 2024 9:32 AM
To: cscwg-public at cabforum.org
Subject: [Cscwg-public] [Discussion Period Begins] CSC-24 (v2): Timestamping Private Key Protection

Purpose of the Ballot

This ballot updates the “Baseline Requirements for the Issuance and Management of Publicly‐Trusted Code Signing Certificates“ version 3.7 in order to clarify language regarding Timestamp Authority Private Key Protection. The main goals of this ballot are to:

1.	Require newly issued Timestamp Authority Subordinate CA Private Keys to be stored in offline HSMs
2.	Add a requirement to remove Private Keys associated with Timestamp Certificates after a 18 months
3.	Add a requirement to reject SHA-1 timestamp requests

The following motion has been proposed by Martijn Katerbarg of Sectigo and endorsed by Bruce Morton of Entrust and Ian McMillan of Microsoft.

 MOTION BEGINS

This ballot updates the “Baseline Requirements for the Issuance and Management of Publicly‐Trusted Code Signing Certificates” ("Code Signing Baseline Requirements") based on version 3.7. MODIFY the Code Signing Baseline Requirements as specified in the following redline: https://github.com/cabforum/code-signing/compare/d431d9104094f2b89f35ed4bf1d64b9a844e762b...84e8586846a0c836d5bccbe9ef74593358c5b421

MOTION ENDS

The procedure for this ballot is as follows:

Discussion (7 days)

*	Start Time: 2024-04-08 09:00 UTC
*	End Time: Not before 2024-04-15 17:00 UTC

Vote for approval (7 days)

*	Start Time: TBD
*	End Time: TBD

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/cscwg-public/attachments/20240412/54dd6da8/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 8477 bytes
Desc: not available
URL: <http://lists.cabforum.org/pipermail/cscwg-public/attachments/20240412/54dd6da8/attachment-0001.p7s>