Ian has provided some feedback on the Signing Service ballot. Let’s plan to discuss on the working group call this week.
Thanks, Bruce. From: Ian McMillan <ian...@microsoft.com> Sent: Monday, October 30, 2023 1:30 PM To: Bruce Morton <bruce.mor...@entrust.com>; Dean Coclin <dean.coc...@digicert.com> Subject: [EXTERNAL] RE: Ballot CSC-21: Signing Service Update Hi Bruce, Sorry for the delay. I think my current struggle is with the applicability of the NetSec BRs audit for Signing Service (and WebTrust for CA really). I really see the “Signing Service” as a representative of the subscriber in terms Hi Bruce, Sorry for the delay. I think my current struggle is with the applicability of the NetSec BRs audit for Signing Service (and WebTrust for CA really). I really see the “Signing Service” as a representative of the subscriber in terms of providing key protection services and providing an interface to securely sign code with a certificate issued for signing, so the only requirements I am seeing are applicable are the private key protection requirements. Even when a CA’s parent organization is providing a signing service option to subscribers, that entity is all about protecting the private key for the subscriber and is really not part of the “Certificate System” as you might interpret the definition in the NetSec BRs. Today, Signing Services that are not offered by CAs are not audited under these criteria (e.g. Venafi, SignPath, etc.), but now we’d be make them get audits which are not really applicable. The other question I have now is how this audit requirement will be enforced (CAs, root programs, both)? I know we have discussed this point and we agreed we do not want to allow someone with a HSM and a laptop to stand up a signing service, but there is really nothing stopping that from happening now because the subscriber private key protection requirements are what come into play if the subscriber chooses to work with a signing service that is not from a CA. Thanks, Ian From: Bruce Morton <bruce.mor...@entrust.com<mailto:bruce.mor...@entrust.com>> Sent: Monday, October 30, 2023 10:38 AM To: Dean Coclin <dean.coc...@digicert.com<mailto:dean.coc...@digicert.com>>; Ian McMillan <ian...@microsoft.com<mailto:ian...@microsoft.com>> Subject: [EXTERNAL] RE: Ballot CSC-21: Signing Service Update Hi Ian, Just wanted to follow up on getting your re-endorsement. Thanks, Bruce. From: Dean Coclin <dean.coc...@digicert.com<mailto:dean.coc...@digicert.com>> Sent: Monday, October 23, 2023 3:40 PM To: Ian McMillan <ian...@microsoft.com<mailto:ian...@microsoft.com>> Cc: Bruce Morton <bruce.mor...@entrust.com<mailto:bruce.mor...@entrust.com>> Subject: [EXTERNAL] RE: Ballot CSC-21: Signing Service Update Ian, Bruce is out this week but let me know if you want to endorse as he left me instructions to put the ballot out once you endorse. Thanks Dean Dean Coclin Sr. Director Business Development M 1.781.789.8686 [cid:image001.jpg@01DA0B33.689DCA60] From: Cscwg-public <cscwg-public-boun...@cabforum.org<mailto:cscwg-public-boun...@cabforum.org>> On Behalf Of Bruce Morton via Cscwg-public Sent: Friday, October 20, 2023 4:27 PM To: cscwg-public@cabforum.org<mailto:cscwg-public@cabforum.org> Subject: [Cscwg-public] FW: Ballot CSC-21: Signing Service Update The ballot has been updated as indicated below. As soon as we get the proposal re-endorsed, then we will send out version 2 of the ballot. Thanks, Bruce. From: Bruce Morton Sent: Friday, October 20, 2023 8:55 AM To: Ian McMillan <ian...@microsoft.com<mailto:ian...@microsoft.com>>; Tim Hollebeek (tim.holleb...@digicert.com<mailto:tim.holleb...@digicert.com>) <tim.holleb...@digicert.com<mailto:tim.holleb...@digicert.com>> Cc: Corey Bonnell <corey.bonn...@digicert.com<mailto:corey.bonn...@digicert.com>>; Dean Coclin <dean.coc...@digicert.com<mailto:dean.coc...@digicert.com>> Subject: FW: Ballot CSC-21: Signing Service Update Hi Ian and Tim, Based on the comments and our call yesterday, we have update the proposed ballot, see https://github.com/cabforum/code-signing/compare/93ee9976cdc4e1104952146e3556800459694874..0d5ebf46d712b7922dabec917c3147197dacf216<https://urldefense.com/v3/__https:/url.avanan.click/v2/___https:/github.com/cabforum/code-signing/compare/93ee9976cdc4e1104952146e3556800459694874..0d5ebf46d712b7922dabec917c3147197dacf216___.YXAzOmRpZ2ljZXJ0OmE6bzpiNTE4NTRkNjRhNWVkNTMyODFiNjBjNjg3ZTI4YjQ1YTo2OjI1YmE6N2RmOTcyMmZiZmNiZmI1NTZmZmNkODdkODViZjU3MTgwY2JhODUzZjc0OTM2MTQ5NmE0NTJiY2MzZDlkNTU4MTpoOkY__;!!FJ-Y8qCqXTj2!e5zbSIlB4vz1o5y5nR4egCi7v3C2hjZtjFROMUVTg1gVyyQOEWtHHSMKssLLLkUk9ylt9aR_9-vzgd9jvIo$> The changes are as follows: Original proposal - Signing Service: An organization that generates the Key Pair and securely manages the Private Key associated with a Subscriber's Code Signing Certificate. New proposal - Signing Service: An organization that generates the Key Pair and securely manages the Private Key associated with a Code Signing Certificate, on behalf of a Subscriber. There were no objections to this change on the call and Martijn also agreed that it addressed his concerns. We also discussed helping Signing Service migrate to their audit requirements. This would also help the auditors know when the audit to these requirements would be applicable. Here is the change: Original proposal - The Signing Service MUST undergo a conformity assessment audit for compliance with these Requirements performed in accordance with one of the following schemes: New proposal - For Audit Periods starting after June 30, 2024, the Signing Service MUST undergo a conformity assessment audit for compliance with these Requirements performed in accordance with one of the following schemes: My assumption is that the ballot will be approved and go through IPR this year, so the current Signing Services would have 6 months to adjust their practices to the new requirements. Please advise if you approve the changes and I will start the discussion period again. Thanks, Bruce. From: Cscwg-public <cscwg-public-boun...@cabforum.org<mailto:cscwg-public-boun...@cabforum.org>> On Behalf Of Bruce Morton via Cscwg-public Sent: Thursday, October 12, 2023 3:59 PM To: cscwg-public@cabforum.org<mailto:cscwg-public@cabforum.org> Subject: [EXTERNAL] [Cscwg-public] Ballot CSC-21: Signing Service Update Purpose of the Ballot This ballot updates the “Baseline Requirements for the Issuance and Management of Publicly‐Trusted Code Signing Certificates“ version 3.4 in order to clarify language regarding Signing Service and signing requests. The main goals of this ballot are to: 1. Clarify the Signing Service definition and the expected deployment model. 2. Remove requirements for signing request. 3. Change text so Signing Service is not categorized as a Delegated Third Party. 4. Not allow Signing Service to transport Private Key to Subscriber. 5. Ensure Network Security Requirements are applicable to Signing Service. 6. State audit requirements for Signing Service. The following motion has been proposed by Bruce Morton of Entrust and endorsed by Tim Hollebeek of DigiCert and Ian McMillan. MOTION BEGINS This ballot updates the “Baseline Requirements for the Issuance and Management of Publicly‐Trusted Code Signing Certificates” ("Code Signing Baseline Requirements") based on version 3.4. MODIFY the Code Signing Baseline Requirements as specified in the following redline: https://github.com/cabforum/code-signing/compare/93ee9976cdc4e1104952146e3556800459694874..701d195fa95fe49e8a02435fc40fb0a018686866<https://urldefense.com/v3/__https:/url.avanan.click/v2/___https:/urldefense.com/v3/__https:/github.com/cabforum/code-signing/compare/93ee9976cdc4e1104952146e3556800459694874..701d195fa95fe49e8a02435fc40fb0a018686866__;!!FJ-Y8qCqXTj2!ai_SiHTiSodTE_VWwZi8Z8QT_M2lCkP6nJYlFupqIB2vMo07Rcbx2E0bKw4GyZ1-pOj0h-PvD9Z5okpQ_IY$___.YXAzOmRpZ2ljZXJ0OmE6bzpiNTE4NTRkNjRhNWVkNTMyODFiNjBjNjg3ZTI4YjQ1YTo2OjFhMTI6YzIzOTA4ZGViYmRmMmUyYzlmODY4ZTRlNGVmY2NmZTljZTFhNWI1YTQ4NmExMzNjMjI5ZDY4ODFlN2ExMzZmMDpoOkY__;!!FJ-Y8qCqXTj2!e5zbSIlB4vz1o5y5nR4egCi7v3C2hjZtjFROMUVTg1gVyyQOEWtHHSMKssLLLkUk9ylt9aR_9-vz8Ipl2OY$> MOTION ENDS The procedure for this ballot is as follows: Discussion (7 days) * Start Time: 2023-10-12 20:00 UTC * End Time: Not before 2023-10-19 20:00 UTC Vote for approval (7 days) * Start Time: TBD * End Time: TBD Any email and files/attachments transmitted with it are intended solely for the use of the individual or entity to whom they are addressed. If this message has been sent to you in error, you must not copy, distribute or disclose of the information it contains. Please notify Entrust immediately and delete the message from your system.
_______________________________________________ Cscwg-public mailing list Cscwg-public@cabforum.org https://lists.cabforum.org/mailman/listinfo/cscwg-public