<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body text="#000000" bgcolor="#FFFFFF">
OK, thanks Dean. It seemed like it had been further back than
February, and I was concerned that perhaps the document had
undergone significant changes since the public review. That seems
not to be the case, so I'm fine with moving forward.<br>
-Rich<br>
<br>
<div class="moz-cite-prefix">On 8/12/2015 5:10 PM, Dean Coclin
wrote:<br>
</div>
<blockquote
cite="mid:14D026C7F297AD44AC82578DD818CDD047B810D60A@TUS1XCHEVSPIN35.SYMC.SYMANTEC.COM"
type="cite">
<meta http-equiv="Content-Type" content="text/html;
charset=ISO-8859-1">
<meta name="Generator" content="Microsoft Word 14 (filtered
medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
@font-face
{font-family:"Segoe UI";
panose-1:2 11 5 2 4 2 4 2 2 3;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p.MsoAcetate, li.MsoAcetate, div.MsoAcetate
{mso-style-priority:99;
mso-style-link:"Balloon Text Char";
margin:0in;
margin-bottom:.0001pt;
font-size:8.0pt;
font-family:"Tahoma","sans-serif";}
p.MsoListParagraph, li.MsoListParagraph, div.MsoListParagraph
{mso-style-priority:34;
margin-top:0in;
margin-right:0in;
margin-bottom:0in;
margin-left:.5in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif";}
span.EmailStyle18
{mso-style-type:personal;
font-family:"Calibri","sans-serif";
color:windowtext;}
span.EmailStyle19
{mso-style-type:personal;
font-family:"Calibri","sans-serif";
color:#1F497D;}
span.EmailStyle20
{mso-style-type:personal;
font-family:"Calibri","sans-serif";
color:#1F497D;}
span.EmailStyle21
{mso-style-type:personal;
font-family:"Segoe UI","sans-serif";
color:#993366;}
span.BalloonTextChar
{mso-style-name:"Balloon Text Char";
mso-style-priority:99;
mso-style-link:"Balloon Text";
font-family:"Tahoma","sans-serif";}
span.EmailStyle24
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
<div class="WordSection1">
<p class="MsoNormal"><span style="color:#1F497D">Hi Rich,<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">Yes, we did put
out a version for public comment in February. We took those
comments back along with others that surfaced during the
re-review process and have come out with this document. So
technically this is not another review period. Having said
that, we never say no to any comments which the group feels
need to be addressed.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">Dean<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<div>
<div style="border:none;border-top:solid #B5C4DF
1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b><span
style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">From:</span></b><span
style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">
Jody Cloutier [<a class="moz-txt-link-freetext" href="mailto:jodycl@microsoft.com">mailto:jodycl@microsoft.com</a>] <br>
<b>Sent:</b> Wednesday, August 12, 2015 12:00 PM<br>
<b>To:</b> Ben Wilson; <a class="moz-txt-link-abbreviated" href="mailto:richard.smith@comodo.com">richard.smith@comodo.com</a>; Dean
Coclin; 'CABFPub'<br>
<b>Cc:</b> <a class="moz-txt-link-abbreviated" href="mailto:codesigning@cabforum.org">codesigning@cabforum.org</a><br>
<b>Subject:</b> RE: [cabfpub] [cabfc_s] Code Signing
Baseline Requirements<o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><span style="font-family:"Segoe
UI","sans-serif";color:#993366">What is the
purpose of the additional review period? Are we accepting
modifications during this timeframe? <o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-family:"Segoe
UI","sans-serif";color:#993366"><o:p> </o:p></span></p>
<div>
<div style="border:none;border-top:solid #E1E1E1
1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b>From:</b> <a moz-do-not-send="true"
href="mailto:public-bounces@cabforum.org">public-bounces@cabforum.org</a>
[<a moz-do-not-send="true"
href="mailto:public-bounces@cabforum.org">mailto:public-bounces@cabforum.org</a>]
<b>On Behalf Of </b>Ben Wilson<br>
<b>Sent:</b> Wednesday, August 12, 2015 8:58 AM<br>
<b>To:</b> <a moz-do-not-send="true"
href="mailto:richard.smith@comodo.com">richard.smith@comodo.com</a>;
'Dean Coclin' <<a moz-do-not-send="true"
href="mailto:Dean_Coclin@symantec.com">Dean_Coclin@symantec.com</a>>;
'CABFPub' <<a moz-do-not-send="true"
href="mailto:public@cabforum.org">public@cabforum.org</a>><br>
<b>Cc:</b> <a moz-do-not-send="true"
href="mailto:codesigning@cabforum.org">codesigning@cabforum.org</a><br>
<b>Subject:</b> Re: [cabfpub] [cabfc_s] Code Signing
Baseline Requirements<o:p></o:p></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><span style="color:#1F497D">I think we’ve
already done that, unless you’re suggesting that we go out
for another 30-day review period. It would be good to map
out proposed dates when everything is supposed to occur.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<div>
<div style="border:none;border-top:solid #E1E1E1
1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b>From:</b> <a moz-do-not-send="true"
href="mailto:codesigning-bounces@cabforum.org">codesigning-bounces@cabforum.org</a>
[<a moz-do-not-send="true"
href="mailto:codesigning-bounces@cabforum.org">mailto:codesigning-bounces@cabforum.org</a>]
<b>On Behalf Of </b>Rich Smith<br>
<b>Sent:</b> Wednesday, August 12, 2015 9:48 AM<br>
<b>To:</b> 'Dean Coclin' <<a moz-do-not-send="true"
href="mailto:Dean_Coclin@symantec.com">Dean_Coclin@symantec.com</a>>;
'CABFPub' <<a moz-do-not-send="true"
href="mailto:public@cabforum.org">public@cabforum.org</a>><br>
<b>Cc:</b> <a moz-do-not-send="true"
href="mailto:codesigning@cabforum.org">codesigning@cabforum.org</a><br>
<b>Subject:</b> Re: [cabfc_s] [cabfpub] Code Signing
Baseline Requirements<o:p></o:p></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><span style="color:#1F497D">Dean said:<o:p></o:p></span></p>
<p class="MsoNormal">The Working Group would like to have the
Forum approve these Baseline Requirements by ballot which will
be put forth at the next teleconference. Discussion will start
at that time, followed by a formal vote.<o:p></o:p></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">Dean, as this
is an entirely new full set of guidelines, this seems fast
for a ballot and vote. With the BRs as I recall, we
circulated to the public and had, I believe, a 30 day public
comment period, after which time it was brought back in
house to address any issues before being then proposed for
final ballot review and approval. Shouldn't we do the same
here?<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">-Rich<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<div style="border:none;border-left:solid blue 1.5pt;padding:0in
0in 0in 4.0pt">
<div>
<div style="border:none;border-top:solid #B5C4DF
1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b><span
style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">From:</span></b><span
style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">
<a moz-do-not-send="true"
href="mailto:public-bounces@cabforum.org">public-bounces@cabforum.org</a>
[<a moz-do-not-send="true"
href="mailto:public-bounces@cabforum.org">mailto:public-bounces@cabforum.org</a>]
<b>On Behalf Of </b>Dean Coclin<br>
<b>Sent:</b> Tuesday, August 11, 2015 4:31 PM<br>
<b>To:</b> CABFPub<br>
<b>Cc:</b> <a moz-do-not-send="true"
href="mailto:codesigning@cabforum.org">codesigning@cabforum.org</a><br>
<b>Subject:</b> [cabfpub] Code Signing Baseline
Requirements<o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">The Code Signing Working Group of the
CA/Browser Forum is pleased to announce the release of the
final version of the Code Signing Baseline Requirements. The
Working Group has been meeting over the last 2 years to
develop and bring this topic to the Forum for approval. <o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">The Working Group would like to have the
Forum approve these Baseline Requirements by ballot which
will be put forth at the next teleconference. Discussion
will start at that time, followed by a formal vote.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">This Working Group was chartered by the
Forum at the Mozilla face to face meeting in February 2013
and has brought together forum members and outside
participants to craft a document which we believe will help
improve the security of the ecosystem. Forum members in the
working group include: Comodo, Digicert, Entrust, ETSI,
Federal PKI, Firmaprofessional, Globalsign, Izenpe,
Microsoft, Starcom, SwissSign, Symantec, Trend Micro, WoSign
as well as non-members: Cacert, Intarsys, OTA, Richter, and
Travelport.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">The stated goal of the group was to:
“Create a set of baseline requirements for code signing that
will reduce the incidence of signed malware”. We strived to
work on 3 sub goals, which are by no means 100% solved.
However we feel that the document reflects progress towards
these goals which were:<o:p></o:p></p>
<p class="MsoListParagraph" style="text-indent:-.25in">1.<span
style="font-size:7.0pt;font-family:"Times New
Roman","serif""> </span>Minimize
private key theft by moving toward more secure key storage
(protection of private keys)<o:p></o:p></p>
<p class="MsoListParagraph" style="text-indent:-.25in">2.<span
style="font-size:7.0pt;font-family:"Times New
Roman","serif""> </span>Baseline
authentication and vetting procedures for all parties<o:p></o:p></p>
<p class="MsoListParagraph" style="text-indent:-.25in">3.<span
style="font-size:7.0pt;font-family:"Times New
Roman","serif""> </span>Information
sharing (notification/revocation) for fraud detection. This
piece was moved to the Information Sharing Working Group<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">We ask all members to review the document
and provide feedback for discussion to the forum. The
guidelines would go into effect one year after forum
approval.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Thanks,<o:p></o:p></p>
<p class="MsoNormal"><br>
Dean Coclin and Jeremy Rowley<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">on behalf of the<o:p></o:p></p>
<p class="MsoNormal">Code Signing Working Group<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
</div>
</blockquote>
<br>
</body>
</html>