<div dir="ltr"><div class="gmail_extra"><br><div class="gmail_quote">On Mon, Aug 25, 2014 at 1:29 PM, Jeremy Rowley <span dir="ltr"><<a href="mailto:jeremy.rowley@digicert.com" target="_blank">jeremy.rowley@digicert.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
<div lang="EN-US" link="blue" vlink="purple">
<div>
<p class="MsoNormal"><span style="font-family:Cambria,serif">Hi everyone, <u></u>
<u></u></span></p>
<p class="MsoNormal"><span style="font-family:Cambria,serif"><u></u> <u></u></span></p>
<p class="MsoNormal"><span style="font-family:Cambria,serif">In 2013, the CA/Browser Forum voted to create a Code Signing Working Group whose sole purpose was to come up with a set of Baseline Requirements for the issuance of Code Signing Certificates.
The result of that effort is enclosed. Once approved by the CA/B Forum and subsequent audit standards are created, all Certificate Authorities will be obligated to follow these Requirements when issuing and managing code signing certificates.
<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-family:Cambria,serif"><u></u> <u></u></span></p>
<p class="MsoNormal"><span style="font-family:Cambria,serif">The goals of this project and resulting document are as follows:<u></u><u></u></span></p>
<p><u></u><span style="font-family:Cambria,serif"><span>1.<span style="font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:7pt;line-height:normal;font-family:'Times New Roman'">
</span></span></span><u></u><span style="font-family:Cambria,serif">Create uniform identification and vetting procedures that all Certificate Authorities must follow when issuing code signing certificates<u></u><u></u></span></p>
<p><u></u><span style="font-family:Cambria,serif"><span>2.<span style="font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:7pt;line-height:normal;font-family:'Times New Roman'">
</span></span></span><u></u><span style="font-family:Cambria,serif">Identify ways to stop the theft of private keys and prevent key compromise by increasing the required levels of key protection<u></u><u></u></span></p>
<p><u></u><span style="font-family:Cambria,serif"><span>3.<span style="font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:7pt;line-height:normal;font-family:'Times New Roman'">
</span></span></span><u></u><span style="font-family:Cambria,serif">I</span><span style="font-family:Cambria,serif">dentify origins of malware (geographic and otherwise) and implement procedures to reduce the incidence of signed malware<u></u><u></u></span></p>
<p><u></u><span style="font-family:Cambria,serif"><span>4.<span style="font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:7pt;line-height:normal;font-family:'Times New Roman'">
</span></span></span><u></u><span style="font-family:Cambria,serif">Document</span><span style="font-family:Cambria,serif"> standards for code signing “services” which store private code-signing keys in cloud-based service offerings<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-family:Cambria,serif"><u></u> <u></u></span></p>
<p class="MsoNormal"><span style="font-family:Cambria,serif">Although it may seem that the biggest beneficiaries of these guidelines will be large operating system vendors that utilize code signing certificates, the public as a whole will benefit from a
reduced incidence of malware on their systems and devices. We urge users, the software development industry, and operating system platforms to carefully review this document and provide comments to the CA/B Forum by October 30, 2014. The Working Group will
review every comment for incorporation into the final draft. Comments should be sent to
<a href="mailto:questions@cabforum.org" target="_blank"><span style="color:windowtext">questions@cabforum.org</span></a>.<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-family:Cambria,serif"><br>
Thanks,<br>
The Code Signing Working Group<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-family:Cambria,serif"><u></u> <u></u></span></p>
</div>
</div>
<br>_______________________________________________<br>
Public mailing list<br>
<a href="mailto:Public@cabforum.org">Public@cabforum.org</a><br>
<a href="https://cabforum.org/mailman/listinfo/public" target="_blank">https://cabforum.org/mailman/listinfo/public</a><br>
<br></blockquote></div><br></div><div class="gmail_extra"><div style="font-family:arial,sans-serif;font-size:13px">Jeremy, members of the Code Signing WG,</div><div style="font-family:arial,sans-serif;font-size:13px"><br>
Thank you for putting together this document. I'm sure it represents a significant amount of time, effort and discussion to come to this current state. However, as we've expressed in the past, Google has serious reservations endorsing this as a publication of the CA/Browser Forum, and would like to encourage members to contemplate other options for publication. If it were to be put towards a Forum vote for adoption, we would be opposed.</div>
<div style="font-family:arial,sans-serif;font-size:13px"><br></div><div style="font-family:arial,sans-serif;font-size:13px">A non-exhaustive list of reasons for this objection includes:</div><div style="font-family:arial,sans-serif;font-size:13px">
<ul><li style="margin-left:15px">These Requirements are only relevant to applications that rely on publicly-trusted certificates for Code Signing. As many CAs are aware, this model is not the model of most modern code signing systems, including Apple's iOS and OS X platforms, Mozilla's Firefox extensions mechanisms, or Google's Android and Chrome platforms. In practice, and as reflected in the WG membership, this is largely constrained to Microsoft's requirements. For a document that strives to benefit "large operating system vendors that utilize code signing certificates," it only affects one in practice, and that's seriously concerning.<br>
</li><li style="margin-left:15px">In order to be relevant and applicable to other platforms that may wish to delegate their security to third-parties such as CAs, it will require a rechartering of the CA/Browser Forum to permit the inclusion of these vendors in the activities and meetings of the Forum. As reflected in the very name itself, we believe that the CA/Browser Forum is best suited as a collaboration of CAs and Browsers. If CAs wish to work with other ISVs for the development of common criteria for code-signing, we would like to suggest that a different, separate forum be established.</li>
<li style="margin-left:15px">Although the EV Code Signing Guidelines are already a work product of the Forum, we have still expressed our concerns in the past regarding that document as well. Absent multiple ISVs having been involved in drafting and committing to adopting these guidelines, we feel that such documents may be disproportionately affected by the participating CAs, to the detriment of non-participants. Similar to our concerns here, we feel it's best if the EV Code Signing Guidelines were best transitioned away from the Forum, in order to reflect their specific limitations, relevance, and applicability to the Microsoft Root Program.</li>
</ul><div>I hope that the CAs that participated in the work group, as well as Microsoft, are able to channel this momentum into a productive effort outside of the Forum. For example, these requirements may very likely be better expressed simply as Microsoft's requirements for participants in their Code Signing Program.</div>
</div><div style="font-family:arial,sans-serif;font-size:13px"><br></div><div style="font-family:arial,sans-serif;font-size:13px">All the best,</div><div style="font-family:arial,sans-serif;font-size:13px">Adam, Chris, and Ryan, on behalf of Google</div>
</div></div>