[Cscwg-public] [EXTERNAL] [Voting Period Begins] CSC-26 Timestamping Private Key Protection

tony seymour tony at amseymourconsulting.co.uk
Wed Jun 26 23:50:45 UTC 2024 

> Comsign votes Yes to ballot CSC-26.
>
> Regards Tony
>
> *From:*Cscwg-public <cscwg-public-bounces at cabforum.org> *On Behalf Of
> *Martijn Katerbarg via Cscwg-public
> *Sent:* Thursday, June 20, 2024 12:31 PM
> *To:* cscwg-public at cabforum.org
> *Subject:* [EXTERNAL] [Cscwg-public] [Voting Period Begins] CSC-26
> Timestamping Private Key Protection
>
> *Purpose of the Ballot*
>
> This ballot updates the “Baseline Requirements for the Issuance and
> Management of Publicly‐Trusted Code Signing Certificates“ version 3.7
> in order to clarify language regarding Timestamp Authority Private Key
> Protection. The main goals of this ballot are to:
>
>  1. Require Timestamp Authority Subordinate CA Private Keys to be
>     stored in offline HSMs
>  2. Add a requirement to remove Private Keys associated with Timestamp
>     Certificates after a 18 months
>  3. Add a requirement to reject SHA-1 timestamp requests
>
> The following motion has been proposed by Martijn Katerbarg of Sectigo
> and endorsed by Bruce Morton of Entrust and Ian McMillan of Microsoft.
>
> *MOTION BEGINS*
>
> This ballot updates the “Baseline Requirements for the Issuance and
> Management of Publicly‐Trusted Code Signing Certificates” ("Code
> Signing Baseline Requirements") based on version 3.7. MODIFY the Code
> Signing Baseline Requirements as specified in the following
> redline:https://github.com/cabforum/code-signing/compare/d431d9104094f2b89f35ed4bf1d64b9a844e762b...12130ff7c2b41d795d47925c084780ea0f7328cd
> <https://github.com/cabforum/code-signing/compare/d431d9104094f2b89f35ed4bf1d64b9a844e762b...12130ff7c2b41d795d47925c084780ea0f7328cd>
>
> *MOTION ENDS*
>
> The procedure for this ballot is as follows:
>
> Discussion (7 days)
>
>   * Start Time: 2024-06-13 16:30 UTC
>   * End Time: 2024-06-20 16:30 UTC
>
> Vote for approval (7 days)
>
>   * Start Time: 2024-06-20 16:30 UTC
>   * End Time: 2024-06-27 16:30 UTC
>
> /Any email and files/attachments transmitted with it are intended
> solely for the use of the individual or entity to whom they are
> addressed. If this message has been sent to you in error, you must not
> copy, distribute or disclose of the information it contains. _Please
> notify Entrust immediately and delete the message from your system._/
>
> _______________________________________________
> Cscwg-public mailing list
> Cscwg-public at cabforum.org
> https://lists.cabforum.org/mailman/listinfo/cscwg-public
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/cscwg-public/attachments/20240627/ae3f450f/attachment.html>

More information about the Cscwg-public mailing list