<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><meta http-equiv=Content-Type content="text/html; charset=utf-8"><meta name=Generator content="Microsoft Word 14 (filtered medium)"><style><!--
/* Font Definitions */
@font-face
{font-family:Wingdings;
panose-1:5 0 0 0 0 0 0 0 0 0;}
@font-face
{font-family:Wingdings;
panose-1:5 0 0 0 0 0 0 0 0 0;}
@font-face
{font-family:Cambria;
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p
{mso-style-priority:99;
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
p.MsoAcetate, li.MsoAcetate, div.MsoAcetate
{mso-style-priority:99;
mso-style-link:"Balloon Text Char";
margin:0in;
margin-bottom:.0001pt;
font-size:8.0pt;
font-family:"Tahoma","sans-serif";}
span.BalloonTextChar
{mso-style-name:"Balloon Text Char";
mso-style-priority:99;
mso-style-link:"Balloon Text";
font-family:"Tahoma","sans-serif";}
span.EmailStyle20
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;
font-family:"Calibri","sans-serif";}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
/* List Definitions */
@list l0
{mso-list-id:651104333;
mso-list-template-ids:452765186;}
@list l0:level1
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l0:level2
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:1.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:"Courier New";
mso-bidi-font-family:"Times New Roman";}
@list l0:level3
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:1.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l0:level4
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:2.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l0:level5
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:2.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l0:level6
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:3.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l0:level7
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:3.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l0:level8
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:4.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
@list l0:level9
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:4.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Wingdings;}
ol
{margin-bottom:0in;}
ul
{margin-bottom:0in;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></head><body lang=EN-US link=blue vlink=purple><div class=WordSection1><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>I’m glad the extensive work of the group over the past year and a half was acknowledged up front. But I’m deeply disappointed in the rest of the contents of this email. <o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>“…</span><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>Google has serious reservations endorsing this…”</span><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>The concern is duly noted however the time for expressing such concern was at the time of formation of the working group, not a year later nor at the time of the publication of the draft. For the record, the Code Signing Working Group was chartered by the members of the CA/B Forum and no objection was noted at that time. It is not some rogue working group that was self-formed. In addition, the working group attracted outside participants who worked on the document’s development. These parties were “users” or “relying parties” and were not affiliated with any platform. <o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Google’s announcement of a “no” vote prior to a review and comment period does nothing to enhance Internet security, a primary goal of this document. In fact, I would characterize this declaration as self-serving because the results of the working group may not apply directly to Google’s own platform. Google seems to be more concerned with how and where this document is created rather than improving Internet security. Trying to form yet another group just to focus on code signing would be cumbersome and most likely wouldn’t result in a different document. The public comment period affords others that could not participate the opportunity to provide additional viewpoints, comments, and criticisms which we welcome. If Google doesn’t want to participate for philosophical reasons, the declaration should be to “Abstain”, not to say “No”. A “no” vote indicates disagreement with the document, which I believe Google doesn’t want to bother reviewing. That's perfectly fine and it is recognized that not every member is concerned with or votes on every particular issue. But the appropriate vote (when the time comes) is to abstain.<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>“…</span><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>this is largely constrained to Microsoft's requirements. For a document that strives to benefit "large operating system vendors that utilize code signing certificates," it only affects one in practice, and that's seriously concerning.”</span><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>I’d like to correct this misconception. Microsoft is not the only large operating system software vendor. Oracle’s Java platform could be another beneficiary and this document is being sent to Oracle for review and comment. In addition, Adobe operates several platforms that require signing and they will directly receive the draft. Then there are smaller ecosystems like Intel which could adopt all or parts of this. It is anticipated that these and other groups will provide input so the draft can be enhanced.<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'> <o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>“…</span><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>this model is not the model of most modern code signing systems, including Apple's iOS and OS X platforms, Mozilla's Firefox extensions mechanisms, or Google's Android and Chrome platforms.”</span><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>I don’t think you meant it but let’s be clear: “modern” does not equal secure, especially when Android is mentioned in this context. Every code signing model can stand improvements and although this document may not be directly useful to so called “modern” code signing systems, concepts developed by the working group when it comes to things like authentication, private key protection or revocation can be applied to these environments.<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>It is well known that most CAs issue SSL and code signing certificates as part of their business model. The fact that the parties of the CA/Browser forum can agree on a Code Signing Baseline Requirements document says that the forum has come a long way in working together to promote a secure code signing ecosystem.<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>“…</span><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>I'm sure it represents a significant amount of time, effort and discussion to come to this current state.”</span><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>You can say that again, and I’m sorry if I sound a bit exasperated in this email. But that’s what happens when a group of 20 companies spends a significant amount of time and effort toward a goal which we believed to be a common one.<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>I guess I should be glad that Google has stated its intent up front so we know what to expect after the review and not be hit with surprises later. But for the sake of the security of the ecosystem and the health of the general Internet which we have been working to improve over the past year and a half, I would urge a vote other than no.<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Thanks,<br>Dean Coclin<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>CSWG co-chair<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>From:</span></b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'> </span><a href="mailto:public-bounces@cabforum.org"><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>public-bounces@cabforum.org</span></a><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'> [</span><a href="mailto:public-bounces@cabforum.org"><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>mailto:public-bounces@cabforum.org</span></a><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>] <b>On Behalf Of </b>Ryan Sleevi<br><b>Sent:</b> Monday, August 25, 2014 6:46 PM<br><b>To:</b> Jeremy Rowley<br><b>Cc:</b> </span><a href="mailto:public@cabforum.org"><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>public@cabforum.org</span></a><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'><br><b>Subject:</b> Re: [cabfpub] Code Signing Baseline Requirements - Public Draft<o:p></o:p></span></p><p class=MsoNormal><o:p> </o:p></p><div><div><p class=MsoNormal><o:p> </o:p></p><div><p class=MsoNormal>On Mon, Aug 25, 2014 at 1:29 PM, Jeremy Rowley <<a href="mailto:jeremy.rowley@digicert.com" target="_blank">jeremy.rowley@digicert.com</a>> wrote:<o:p></o:p></p><div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-family:"Cambria","serif"'>Hi everyone, </span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-family:"Cambria","serif"'> </span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-family:"Cambria","serif"'>In 2013, the CA/Browser Forum voted to create a Code Signing Working Group whose sole purpose was to come up with a set of Baseline Requirements for the issuance of Code Signing Certificates. The result of that effort is enclosed. Once approved by the CA/B Forum and subsequent audit standards are created, all Certificate Authorities will be obligated to follow these Requirements when issuing and managing code signing certificates. </span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-family:"Cambria","serif"'> </span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-family:"Cambria","serif"'>The goals of this project and resulting document are as follows:</span><o:p></o:p></p><p><span style='font-family:"Cambria","serif"'>1.</span><span style='font-size:7.0pt'> </span><span style='font-family:"Cambria","serif"'>Create uniform identification and vetting procedures that all Certificate Authorities must follow when issuing code signing certificates</span><o:p></o:p></p><p><span style='font-family:"Cambria","serif"'>2.</span><span style='font-size:7.0pt'> </span><span style='font-family:"Cambria","serif"'>Identify ways to stop the theft of private keys and prevent key compromise by increasing the required levels of key protection</span><o:p></o:p></p><p><span style='font-family:"Cambria","serif"'>3.</span><span style='font-size:7.0pt'> </span><span style='font-family:"Cambria","serif"'>Identify origins of malware (geographic and otherwise) and implement procedures to reduce the incidence of signed malware</span><o:p></o:p></p><p><span style='font-family:"Cambria","serif"'>4.</span><span style='font-size:7.0pt'> </span><span style='font-family:"Cambria","serif"'>Document standards for code signing “services” which store private code-signing keys in cloud-based service offerings</span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-family:"Cambria","serif"'> </span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-family:"Cambria","serif"'>Although it may seem that the biggest beneficiaries of these guidelines will be large operating system vendors that utilize code signing certificates, the public as a whole will benefit from a reduced incidence of malware on their systems and devices. We urge users, the software development industry, and operating system platforms to carefully review this document and provide comments to the CA/B Forum by October 30, 2014. The Working Group will review every comment for incorporation into the final draft. Comments should be sent to </span><a href="mailto:questions@cabforum.org" target="_blank"><span style='font-family:"Cambria","serif";color:windowtext'>questions@cabforum.org</span></a><span style='font-family:"Cambria","serif"'>.</span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-family:"Cambria","serif"'><br>Thanks,<br>The Code Signing Working Group</span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-family:"Cambria","serif"'> </span><o:p></o:p></p></div></div><p class=MsoNormal style='margin-bottom:12.0pt'><br>_______________________________________________<br>Public mailing list<br><a href="mailto:Public@cabforum.org">Public@cabforum.org</a><br><a href="https://cabforum.org/mailman/listinfo/public" target="_blank">https://cabforum.org/mailman/listinfo/public</a><o:p></o:p></p></div><p class=MsoNormal><o:p> </o:p></p></div><div><div><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>Jeremy, members of the Code Signing WG,<o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'><br>Thank you for putting together this document. I'm sure it represents a significant amount of time, effort and discussion to come to this current state. However, as we've expressed in the past, Google has serious reservations endorsing this as a publication of the CA/Browser Forum, and would like to encourage members to contemplate other options for publication. If it were to be put towards a Forum vote for adoption, we would be opposed.<o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'> <o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>A non-exhaustive list of reasons for this objection includes:<o:p></o:p></span></p></div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:47.25pt;text-indent:-.25in;mso-list:l0 level1 lfo2'><![if !supportLists]><span style='font-size:10.0pt;font-family:Symbol'><span style='mso-list:Ignore'>·<span style='font:7.0pt "Times New Roman"'> </span></span></span><![endif]><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>These Requirements are only relevant to applications that rely on publicly-trusted certificates for Code Signing. As many CAs are aware, this model is not the model of most modern code signing systems, including Apple's iOS and OS X platforms, Mozilla's Firefox extensions mechanisms, or Google's Android and Chrome platforms. In practice, and as reflected in the WG membership, this is largely constrained to Microsoft's requirements. For a document that strives to benefit "large operating system vendors that utilize code signing certificates," it only affects one in practice, and that's seriously concerning.<o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:47.25pt;text-indent:-.25in;mso-list:l0 level1 lfo2'><![if !supportLists]><span style='font-size:10.0pt;font-family:Symbol'><span style='mso-list:Ignore'>·<span style='font:7.0pt "Times New Roman"'> </span></span></span><![endif]><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>In order to be relevant and applicable to other platforms that may wish to delegate their security to third-parties such as CAs, it will require a rechartering of the CA/Browser Forum to permit the inclusion of these vendors in the activities and meetings of the Forum. As reflected in the very name itself, we believe that the CA/Browser Forum is best suited as a collaboration of CAs and Browsers. If CAs wish to work with other ISVs for the development of common criteria for code-signing, we would like to suggest that a different, separate forum be established.<o:p></o:p></span></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;margin-left:47.25pt;text-indent:-.25in;mso-list:l0 level1 lfo2'><![if !supportLists]><span style='font-size:10.0pt;font-family:Symbol'><span style='mso-list:Ignore'>·<span style='font:7.0pt "Times New Roman"'> </span></span></span><![endif]><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>Although the EV Code Signing Guidelines are already a work product of the Forum, we have still expressed our concerns in the past regarding that document as well. Absent multiple ISVs having been involved in drafting and committing to adopting these guidelines, we feel that such documents may be disproportionately affected by the participating CAs, to the detriment of non-participants. Similar to our concerns here, we feel it's best if the EV Code Signing Guidelines were best transitioned away from the Forum, in order to reflect their specific limitations, relevance, and applicability to the Microsoft Root Program.<o:p></o:p></span></p><div><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>I hope that the CAs that participated in the work group, as well as Microsoft, are able to channel this momentum into a productive effort outside of the Forum. For example, these requirements may very likely be better expressed simply as Microsoft's requirements for participants in their Code Signing Program.<o:p></o:p></span></p></div></div><div><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'><o:p> </o:p></span></p></div><div><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>All the best,<o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>Adam, Chris, and Ryan, on behalf of Google<o:p></o:p></span></p></div></div></div></div></body></html>