[Cscwg-public] [Voting Period Begins] CSC-24 (v3): Timestamping Private Key Protection

Bruce Morton Bruce.Morton at entrust.com
Wed May 22 13:00:00 UTC 2024 

Entrust votes Yes to ballot CSC-24 (v3).


Bruce.

From: Cscwg-public <cscwg-public-bounces at cabforum.org> On Behalf Of Martijn Katerbarg via Cscwg-public
Sent: Monday, May 20, 2024 5:05 AM
To: cscwg-public at cabforum.org
Subject: [EXTERNAL] [Cscwg-public] [Voting Period Begins] CSC-24 (v3): Timestamping Private Key Protection


Purpose of the Ballot
This ballot updates the “Baseline Requirements for the Issuance and Management of Publicly‐Trusted Code Signing Certificates“ version 3.7 in order to clarify language regarding Timestamp Authority Private Key Protection. The main goals of this ballot are to:

  1.  Require Private Keys  associated with newly issued Timestamp Authority Subordinate CA to be stored in offline HSMs
  2.  Require newly issued Timestamp Certificates to be issued from a TSA CA with its Private key storedn in offline HSMs
  3.  Add a requirement to remove Private Keys associated with Timestamp Certificates after a 18 months
  4.  Add a requirement to reject SHA-1 timestamp requests
The following motion has been proposed by Martijn Katerbarg of Sectigo and endorsed by Bruce Morton of Entrust and Ian McMillan of Microsoft.

MOTION BEGINS

This ballot updates the “Baseline Requirements for the Issuance and Management of Publicly‐Trusted Code Signing Certificates” ("Code Signing Baseline Requirements") based on version 3.7. MODIFY the Code Signing Baseline Requirements as specified in the following redline: https://github.com/cabforum/code-signing/compare/d431d9104094f2b89f35ed4bf1d64b9a844e762b...61d9426e9025d448a13eb56fa75b9651b2136548

MOTION ENDS
The procedure for this ballot is as follows:

Discussion (7 days)

  *   Start Time: 2024-05-10 10:45 UTC
  *   End Time: Not before 2024-05-20 09:05 UTC

Vote for approval (7 days)

  *   Start Time: 2024-05-20 09:05 UTC
  *   End Time: 2024-05-27 09:05 UTC


Any email and files/attachments transmitted with it are intended solely for the use of the individual or entity to whom they are addressed. If this message has been sent to you in error, you must not copy, distribute or disclose of the information it contains. Please notify Entrust immediately and delete the message from your system.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/cscwg-public/attachments/20240522/c9979f9d/attachment-0001.html>

More information about the Cscwg-public mailing list