Re: [Cscwg-public] Ballot CSC-21: Signing Service Update

[Bruce Morton via Cscwg-public]

Hi Corey,

 

Can you please elaborate why you have the concern? 

 

My first take is an example where a Signing Service must use FIPS 140-2 Level 3 
and the Subscriber must use minimum Level 2. So if the Subscriber key was 
generated by the Signing Service, then Level 3 would apply. I don’t see a 
conflict as both requirements are met. 

 

I guess I am not understanding why the Signing Service requirements would not 
apply even if the CA was using the Signing Service for its Subscriber’s keys.

 

 

 

Thanks, Bruce.

 

From: Corey Bonnell <corey.bonn...@digicert.com> 
Sent: Tuesday, October 17, 2023 3:06 PM
To: Martijn Katerbarg <martijn.katerb...@sectigo.com>; 
cscwg-public@cabforum.org; Bruce Morton <bruce.mor...@entrust.com>
Subject: [EXTERNAL] RE: Ballot CSC-21: Signing Service Update

 

In the case where the CA is generating its own Key Pairs to issue itself code 
signing certificates, their obligations for key protection would be outlined in 
the sections pertaining to Subscriber Key Pair protection, even if the Private 
Key so happens to reside in a Signing Service that they run. I think this is 
fine but want to ensure there’s agreement on this interpretation.

 

Thoughts?

 

Thanks,

Corey

From: Cscwg-public <cscwg-public-boun...@cabforum.org 
<mailto:cscwg-public-boun...@cabforum.org> > On Behalf Of Martijn Katerbarg via 
Cscwg-public
Sent: Friday, October 13, 2023 9:17 AM
To: Bruce Morton <bruce.mor...@entrust.com <mailto:bruce.mor...@entrust.com> >; 
cscwg-public@cabforum.org <mailto:cscwg-public@cabforum.org> 
Subject: Re: [Cscwg-public] Ballot CSC-21: Signing Service Update

 

Hi Bruce,

 

I have a concern with the “Signing Service” definition:

“**Signing Service**: An organization that generates the Key Pair and securely 
manages the Private Key associated with a Subscriber's Code Signing 
Certificate.”

 

For subscribers that generate their own private keys and use these for signing 
(i.e., they manage them) I’m inclined to say that this would define them as a 
Signing Service.

 

Should we reword this to “An organization other than the Subscriber or any of 
its Affiliates, that generates the Key Pair and securely manages the Private 
Key associated with a Subscriber's Code Signing Certificate”?

 

Regards,

Martijn

 

 

From: Cscwg-public <cscwg-public-boun...@cabforum.org 
<mailto:cscwg-public-boun...@cabforum.org> > on behalf of Bruce Morton via 
Cscwg-public <cscwg-public@cabforum.org <mailto:cscwg-public@cabforum.org> >
Date: Thursday, 12 October 2023 at 21:59
To: cscwg-public@cabforum.org <mailto:cscwg-public@cabforum.org>  
<cscwg-public@cabforum.org <mailto:cscwg-public@cabforum.org> >
Subject: [Cscwg-public] Ballot CSC-21: Signing Service Update

CAUTION: This email originated from outside of the organization. Do not click 
links or open attachments unless you recognize the sender and know the content 
is safe.

 

Purpose of the Ballot

This ballot updates the “Baseline Requirements for the Issuance and Management 
of Publicly‐Trusted Code Signing Certificates“ version 3.4 in order to clarify 
language regarding Signing Service and signing requests. The main goals of this 
ballot are to:

1.      Clarify the Signing Service definition and the expected deployment 
model.
2.      Remove requirements for signing request.
3.      Change text so Signing Service is not categorized as a Delegated Third 
Party.
4.      Not allow Signing Service to transport Private Key to Subscriber.
5.      Ensure Network Security Requirements are applicable to Signing Service.
6.      State audit requirements for Signing Service.

The following motion has been proposed by Bruce Morton of Entrust and endorsed 
by Tim Hollebeek of DigiCert and Ian McMillan.

 

MOTION BEGINS

 

This ballot updates the “Baseline Requirements for the Issuance and Management 
of Publicly‐Trusted Code Signing Certificates” ("Code Signing Baseline 
Requirements") based on version 3.4. MODIFY the Code Signing Baseline 
Requirements as specified in the following redline: 
https://github.com/cabforum/code-signing/compare/93ee9976cdc4e1104952146e3556800459694874..701d195fa95fe49e8a02435fc40fb0a018686866
 
<https://urldefense.com/v3/__https:/github.com/cabforum/code-signing/compare/93ee9976cdc4e1104952146e3556800459694874..701d195fa95fe49e8a02435fc40fb0a018686866__;!!FJ-Y8qCqXTj2!ai_SiHTiSodTE_VWwZi8Z8QT_M2lCkP6nJYlFupqIB2vMo07Rcbx2E0bKw4GyZ1-pOj0h-PvD9Z5okpQ_IY$>
 

 

MOTION ENDS

The procedure for this ballot is as follows: Discussion (7 days)

 

*                 Start Time: 2023-10-12 20:00 UTC

*                 End Time: Not before 2023-10-19 20:00 UTC

 

Vote for approval (7 days)

 

*                 Start Time: TBD

*                 End Time: TBD

smime.p7s
Description: S/MIME cryptographic signature

_______________________________________________
Cscwg-public mailing list
Cscwg-public@cabforum.org
https://lists.cabforum.org/mailman/listinfo/cscwg-public