[Cscwg-public] [Voting Period Begins] CSC-26 Timestamping Private Key Protection

Scott Rea scott.rea at emudhra.com
Mon Jun 24 14:52:51 UTC 2024 

eMudhra Votes YES to Ballot CSC-26

From: Cscwg-public <cscwg-public-bounces at cabforum.org> on behalf of Martijn Katerbarg via Cscwg-public <cscwg-public at cabforum.org>
Date: Thursday, 20 June 2024 at 10:30 AM
To: cscwg-public at cabforum.org <cscwg-public at cabforum.org>
Subject: [Cscwg-public] [Voting Period Begins] CSC-26 Timestamping Private Key Protection
CAUTION: This email is originated from outside of the organization. Do not open the links or the attachments unless you recognize the sender and know the content is safe.


Purpose of the Ballot
This ballot updates the “Baseline Requirements for the Issuance and Management of Publicly‐Trusted Code Signing Certificates“ version 3.7 in order to clarify language regarding Timestamp Authority Private Key Protection. The main goals of this ballot are to:

  1.  Require Timestamp Authority Subordinate CA Private Keys to be stored in offline HSMs
  2.  Add a requirement to remove Private Keys associated with Timestamp Certificates after a 18 months
  3.  Add a requirement to reject SHA-1 timestamp requests
The following motion has been proposed by Martijn Katerbarg of Sectigo and endorsed by Bruce Morton of Entrust and Ian McMillan of Microsoft.

MOTION BEGINS

This ballot updates the “Baseline Requirements for the Issuance and Management of Publicly‐Trusted Code Signing Certificates” ("Code Signing Baseline Requirements") based on version 3.7. MODIFY the Code Signing Baseline Requirements as specified in the following redline: https://github.com/cabforum/code-signing/compare/d431d9104094f2b89f35ed4bf1d64b9a844e762b...12130ff7c2b41d795d47925c084780ea0f7328cd

MOTION ENDS
The procedure for this ballot is as follows:

Discussion (7 days)

  *   Start Time: 2024-06-13 16:30 UTC
  *   End Time: 2024-06-20 16:30 UTC

Vote for approval (7 days)

  *   Start Time: 2024-06-20 16:30 UTC
  *   End Time: 2024-06-27 16:30 UTC


Disclaimer: The email and its contents hold confidential information and are intended for the person or entity to which it is addressed. If you are not the intended recipient, please note that any distribution or copying of this email is strictly prohibited as per Company Policy, you are requested to notify the sender and delete the email and associated attachments with it from your system.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/cscwg-public/attachments/20240624/01cc3bd1/attachment-0001.html>

More information about the Cscwg-public mailing list