[Cscwg-public] [External Sender] Re: [Discussion Period Begins] CSC-24 (v2): Timestamping Private Key Protection

Adriano Santoni adriano.santoni at staff.aruba.it
Tue Apr 16 06:35:24 UTC 2024 

I concur with Christophe.

Adriano


Il 12/04/2024 16:30, Christophe Bonjean via Cscwg-public ha scritto:
>
> Hi Martijn,
>
> Looking at the purpose of the ballot, the goal is to require *newly 
> issued* [..] *Private Keys *to be stored in offline HSMs*.*
>
> **
>
> The proposed change scopes this change to [keys related to] Root CA 
> certificates and *new Subordinate CA certificates*
>
> I would recommend to scope this change to Private Keys generated after 
> the effective date, instead of linking it to the issuing date of the 
> Subordinate CA Certificate for those keys.
>
> For example if a CA issues a new Subordinate CA Certificate after this 
> date, with an existing Private Key, then the related Private Key would 
> need to be moved to an offline state. I think the intention is only 
> for new keys to follow this requirement.
>
> Christophe
>
> *From:*Cscwg-public <cscwg-public-bounces at cabforum.org> *On Behalf Of 
> *Martijn Katerbarg via Cscwg-public
> *Sent:* Monday, April 8, 2024 9:32 AM
> *To:* cscwg-public at cabforum.org
> *Subject:* [Cscwg-public] [Discussion Period Begins] CSC-24 (v2): 
> Timestamping Private Key Protection
>
> *Purpose of the Ballot*
>
> This ballot updates the “Baseline Requirements for the Issuance and 
> Management of Publicly‐Trusted Code Signing Certificates“ version 3.7 
> in order to clarify language regarding Timestamp Authority Private Key 
> Protection. The main goals of this ballot are to:
>
>  1. Require newly issued Timestamp Authority Subordinate CA Private
>     Keys to be stored in offline HSMs
>  2. Add a requirement to remove Private Keys associated with Timestamp
>     Certificates after a 18 months
>  3. Add a requirement to reject SHA-1 timestamp requests
>
> The following motion has been proposed by Martijn Katerbarg of Sectigo 
> and endorsed by Bruce Morton of Entrust and Ian McMillan of Microsoft.
>
> *MOTION BEGINS*
>
> This ballot updates the “Baseline Requirements for the Issuance and 
> Management of Publicly‐Trusted Code Signing Certificates” ("Code 
> Signing Baseline Requirements") based on version 3.7. MODIFY the Code 
> Signing Baseline Requirements as specified in the following 
> redline:https://github.com/cabforum/code-signing/compare/d431d9104094f2b89f35ed4bf1d64b9a844e762b...84e8586846a0c836d5bccbe9ef74593358c5b421
>
> *MOTION ENDS*
>
> The procedure for this ballot is as follows:
>
> Discussion (7 days)
>
>   * Start Time: 2024-04-08 09:00 UTC
>   * End Time: Not before 2024-04-15 17:00 UTC
>
> Vote for approval (7 days)
>
>   * Start Time: TBD
>   * End Time: TBD
>
>
> _______________________________________________
> Cscwg-public mailing list
> Cscwg-public at cabforum.org
> https://lists.cabforum.org/mailman/listinfo/cscwg-public
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/cscwg-public/attachments/20240416/a969f336/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4620 bytes
Desc: Firma crittografica S/MIME
URL: <http://lists.cabforum.org/pipermail/cscwg-public/attachments/20240416/a969f336/attachment.p7s>

More information about the Cscwg-public mailing list