On behalf of Microsoft, I vote “YES” on CSC-26.
Cheers,
Ian
From: Cscwg-public <cscwg-public-boun...@cabforum.org> On Behalf Of Martijn
Katerbarg via Cscwg-public
Sent: Thursday, June 20, 2024 12:31 PM
To: cscwg-public@cabforum.org
Subject: [EXTERNAL] [Cscwg-public] [Voting Period Begins] CSC-26 Timestamping
Private Key Protection
Purpose of the Ballot
This ballot updates the “Baseline Requirements for the Issuance and Management
of Publicly‐Trusted Code Signing Certificates“ version 3.7 in order to clarify
language regarding Timestamp Authority Private Key Protection. The main goals
of this ballot are to:
1. Require Timestamp Authority Subordinate CA Private Keys to be stored in
offline HSMs
2. Add a requirement to remove Private Keys associated with Timestamp
Certificates after a 18 months
3. Add a requirement to reject SHA-1 timestamp requests
The following motion has been proposed by Martijn Katerbarg of Sectigo and
endorsed by Bruce Morton of Entrust and Ian McMillan of Microsoft.
MOTION BEGINS
This ballot updates the “Baseline Requirements for the Issuance and Management
of Publicly‐Trusted Code Signing Certificates” ("Code Signing Baseline
Requirements") based on version 3.7. MODIFY the Code Signing Baseline
Requirements as specified in the following redline:
https://github.com/cabforum/code-signing/compare/d431d9104094f2b89f35ed4bf1d64b9a844e762b...12130ff7c2b41d795d47925c084780ea0f7328cd
MOTION ENDS
The procedure for this ballot is as follows:
Discussion (7 days)
* Start Time: 2024-06-13 16:30 UTC
* End Time: 2024-06-20 16:30 UTC
Vote for approval (7 days)
* Start Time: 2024-06-20 16:30 UTC
* End Time: 2024-06-27 16:30 UTC
_______________________________________________
Cscwg-public mailing list
Cscwg-public@cabforum.org
https://lists.cabforum.org/mailman/listinfo/cscwg-public
