Entrust votes Yes to ballot CSC-24 (v3).
Bruce. From: Cscwg-public <[email protected]> On Behalf Of Martijn Katerbarg via Cscwg-public Sent: Monday, May 20, 2024 5:05 AM To: [email protected] Subject: [EXTERNAL] [Cscwg-public] [Voting Period Begins] CSC-24 (v3): Timestamping Private Key Protection Purpose of the Ballot This ballot updates the “Baseline Requirements for the Issuance and Management of Publicly‐Trusted Code Signing Certificates“ version 3.7 in order to clarify language regarding Timestamp Authority Private Key Protection. The main goals of this ballot are to: 1. Require Private Keys associated with newly issued Timestamp Authority Subordinate CA to be stored in offline HSMs 2. Require newly issued Timestamp Certificates to be issued from a TSA CA with its Private key storedn in offline HSMs 3. Add a requirement to remove Private Keys associated with Timestamp Certificates after a 18 months 4. Add a requirement to reject SHA-1 timestamp requests The following motion has been proposed by Martijn Katerbarg of Sectigo and endorsed by Bruce Morton of Entrust and Ian McMillan of Microsoft. MOTION BEGINS This ballot updates the “Baseline Requirements for the Issuance and Management of Publicly‐Trusted Code Signing Certificates” ("Code Signing Baseline Requirements") based on version 3.7. MODIFY the Code Signing Baseline Requirements as specified in the following redline: https://github.com/cabforum/code-signing/compare/d431d9104094f2b89f35ed4bf1d64b9a844e762b...61d9426e9025d448a13eb56fa75b9651b2136548 MOTION ENDS The procedure for this ballot is as follows: Discussion (7 days) * Start Time: 2024-05-10 10:45 UTC * End Time: Not before 2024-05-20 09:05 UTC Vote for approval (7 days) * Start Time: 2024-05-20 09:05 UTC * End Time: 2024-05-27 09:05 UTC Any email and files/attachments transmitted with it are intended solely for the use of the individual or entity to whom they are addressed. If this message has been sent to you in error, you must not copy, distribute or disclose of the information it contains. Please notify Entrust immediately and delete the message from your system.
_______________________________________________ Cscwg-public mailing list [email protected] https://lists.cabforum.org/mailman/listinfo/cscwg-public
