Ballot CSC-13 – Update to Subscriber Key Protection Requirements

Ballot overview

• Ballot CSC-13 updates the subscriber private key protection requirements in the Baseline Requirements for the Issuance and Management of Publicly-Trusted Code Signing Certificates v2.7.
• The ballot passed.

What the ballot changes

• Renames section 16.3 from Subscriber Private Key Protection to Subscriber Private Key Protection and Verification.
• Splits section 16.3 into:
  • 16.3.1 Subscriber Private Key Protection
  • 16.3.2 Subscriber Private Key Verification
• Removes allowance of TPM key generation and software protected private key protection.
• Removes private key protection requirement differences between EV and non-EV Code Signing Certificates.
• Adds allowance for key generation and protection using a cloud-based key protection solution that provides key generation and protection in a hardware crypto module conforming to at least FIPS 140-2 Level 2 or Common Criteria EAL 4+.
• Adds verification requirements for Code Signing Certificates’ private key generation and storage in a crypto module meeting or exceeding FIPS 140-2 level 2 or Common Criteria EAL 4+.
• Allows additional acceptable verification methods, including cloud-based key generation and protection solutions.
• Allows a CA to satisfy the verification requirement with additional means specified in its CPS.
• Requires any additional means specified by a CA in its CPS to be proposed to the CA/Browser Forum for inclusion into the acceptable methods for section 16.3.2 by November 15, 2022.

Dates

• The review period ended and no exclusion notices were filed.
• The final documents state the effective date is 2022-05-09.
• The ballot voting results are shown on the page, and the ballot has PASSED.