[Cscwg-public] FW: Consider PCI-HSM certification for Code signing HSMs

Dean Coclin dean.coclin at digicert.com
Thu May 2 19:50:47 UTC 2024 

As mentioned on today's call, I will add this to the next agenda. 

 

Dean Coclin 

 

 

 

 

From: Cscwg-public <cscwg-public-bounces at cabforum.org> On Behalf Of Richard
Kisley via Cscwg-public
Sent: Tuesday, January 2, 2024 5:31 PM
To: cscwg-public at cabforum.org
Subject: [Cscwg-public] Consider PCI-HSM certification for Code signing HSMs

 

Hi,

Thank you for the opportunity to discuss this topic.  My apologies for not
sending this sooner, EOY work (day job) and the holidays took over my time.

 

My AOB question on 12/14 was: 'would the group consider adding PCI HSM as an
acceptable certification for Code Signing workloads?'

 

Please find attached the PCI HSM v4 pdf from the PCI SSC documents page
(https://www.pcisecuritystandards.org/document_library/
<https://url.avanan.click/v2/___https:/www.pcisecuritystandards.org/document
_library/___.YXAzOmRpZ2ljZXJ0OmE6bzozZGY5OGQ5NmZiZTQwNzMwYTBjZTBjYTNhY2M1NWQ
xMTo2OmEwZGI6ODc2MzRlMWNhZDNmYmQ5MTI3OWVmMjkwYTE5ZDc2NGU3ODQ4NDhjZmQ4Mjc1OTB
mYWY1ZDdkMzdkYmUzYjQ5YjpoOkY> , filter by 'PTS'). Note that in this location
you have also the 'FAQs', which "enhance" understanding of various topics.

 

My reasons for suggesting this:

1.	PCI (PTS) HSM is a robust program for HSM evaluation in the payment
security space.
2.	The financial services world, while having some unique requirements
(in particular for PKI), is in my opinion not so different for overall
device validation
3.	FIPS 140-3 & FIPS 140-2 (now closed) CMVP programs have a long queue
that is delaying products by well over a year
4.	CC, while valuable in many markets, is not universal
5.	Adding PCI-HSM closes the loop across the main HSM evaluation
regimes

 

Thanks,

 

Richard Kisley
____________________________________________________________________
Firmware & Security Architect, 
IBM Senior Technical Staff Member, Master Inventor
Payment Card Industry Professional (PCIP)
IBM Cryptographic Technology Development
<https://url.avanan.click/v2/___http:/www.ibm.com/security/cryptocards/___.Y
XAzOmRpZ2ljZXJ0OmE6bzozZGY5OGQ5NmZiZTQwNzMwYTBjZTBjYTNhY2M1NWQxMTo2OjdkNzg6O
DlhM2QyN2RlMzg4NGRiMzVhYTg2NzkyNGI5ODk5MDVkZjgwMmRkM2I4NGQ0YzY4NGYzZDI4MDQxZ
TEyZmIwOTpoOkY> http://www.ibm.com/security/cryptocards/
 <mailto:kisley at us.ibm.com> kisley at us.ibm.com

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/cscwg-public/attachments/20240502/92f87932/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: PCI_HSM_DTRs_v4.pdf
Type: application/pdf
Size: 1855968 bytes
Desc: not available
URL: <http://lists.cabforum.org/pipermail/cscwg-public/attachments/20240502/92f87932/attachment-0001.pdf>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5227 bytes
Desc: not available
URL: <http://lists.cabforum.org/pipermail/cscwg-public/attachments/20240502/92f87932/attachment-0001.p7s>

More information about the Cscwg-public mailing list