<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><meta http-equiv=Content-Type content="text/html; charset=iso-8859-9"><meta name=Generator content="Microsoft Word 15 (filtered medium)"><style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
@font-face
{font-family:Cambria;
panose-1:2 4 5 3 5 4 6 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p.MsoAcetate, li.MsoAcetate, div.MsoAcetate
{mso-style-priority:99;
mso-style-link:"Balloon Text Char";
margin:0cm;
margin-bottom:.0001pt;
font-size:8.0pt;
font-family:"Tahoma",sans-serif;}
p.MsoListParagraph, li.MsoListParagraph, div.MsoListParagraph
{mso-style-priority:34;
margin-top:0cm;
margin-right:0cm;
margin-bottom:0cm;
margin-left:36.0pt;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
span.BalloonTextChar
{mso-style-name:"Balloon Text Char";
mso-style-priority:99;
mso-style-link:"Balloon Text";
font-family:"Tahoma",sans-serif;}
p.line874, li.line874, div.line874
{mso-style-name:line874;
mso-margin-top-alt:auto;
margin-right:0cm;
mso-margin-bottom-alt:auto;
margin-left:0cm;
font-size:12.0pt;
font-family:"Times New Roman",serif;}
p.Default, li.Default, div.Default
{mso-style-name:Default;
margin:0cm;
margin-bottom:.0001pt;
text-autospace:none;
font-size:12.0pt;
font-family:"Cambria",serif;
color:black;}
span.EmailStyle22
{mso-style-type:personal;
font-family:"Calibri",sans-serif;
color:windowtext;}
span.EmailStyle23
{mso-style-type:personal;
font-family:"Calibri",sans-serif;
color:#1F497D;}
span.EmailStyle24
{mso-style-type:personal;
font-family:"Calibri",sans-serif;
color:#1F497D;}
span.EmailStyle25
{mso-style-type:personal;
font-family:"Calibri",sans-serif;
color:#1F497D;}
span.EmailStyle26
{mso-style-type:personal-compose;
font-family:"Calibri",sans-serif;
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:612.0pt 792.0pt;
margin:72.0pt 72.0pt 72.0pt 72.0pt;}
div.WordSection1
{page:WordSection1;}
/* List Definitions */
@list l0
{mso-list-id:701632324;
mso-list-type:hybrid;
mso-list-template-ids:1798194408 67698703 67698713 67698715 67698703 67698713 67698715 67698703 67698713 67698715;}
@list l0:level1
{mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l0:level2
{mso-level-number-format:alpha-lower;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l0:level3
{mso-level-number-format:roman-lower;
mso-level-tab-stop:none;
mso-level-number-position:right;
text-indent:-9.0pt;}
@list l0:level4
{mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l0:level5
{mso-level-number-format:alpha-lower;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l0:level6
{mso-level-number-format:roman-lower;
mso-level-tab-stop:none;
mso-level-number-position:right;
text-indent:-9.0pt;}
@list l0:level7
{mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l0:level8
{mso-level-number-format:alpha-lower;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l0:level9
{mso-level-number-format:roman-lower;
mso-level-tab-stop:none;
mso-level-number-position:right;
text-indent:-9.0pt;}
ol
{margin-bottom:0cm;}
ul
{margin-bottom:0cm;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></head><body lang=EN-US link=blue vlink=purple><div class=WordSection1><p class=MsoNormal><span style='color:black'>Dear Dean and Dear All,<o:p></o:p></span></p><p class=MsoNormal><span style='color:black'><o:p> </o:p></span></p><p class=MsoNormal><span style='color:black'>First of all many thanks for the Code Signing WG for preparing these BRs.<o:p></o:p></span></p><p class=MsoNormal><span style='color:black'><o:p> </o:p></span></p><p class=MsoNormal><span style='color:black'>I would like to raise a discussion about the security requirements of the hardware security devices mentioned in the document. Under section “16.3 Subscriber Private Key Protection” the following hardware security module requirements are stated:<o:p></o:p></span></p><p class=MsoNormal><span style='color:black'><o:p> </o:p></span></p><p class=MsoNormal style='margin-left:36.0pt'><span style='color:black'>“<o:p></o:p></span></p><p class=Default style='margin-left:36.0pt'><i><span style='color:black'>…<o:p></o:p></span></i></p><p class=Default style='margin-left:36.0pt'><i><span style='color:black'><o:p> </o:p></span></i></p><p class=Default style='mso-margin-top-alt:0cm;margin-right:0cm;margin-bottom:11.3pt;margin-left:36.0pt'><i><span style='font-size:11.0pt;color:black'>2. A hardware crypto module with a unit design form factor certified as conforming to at least FIPS 140 Level 2, Common Criteria EAL 4+, or equivalent. <o:p></o:p></span></i></p><p class=Default style='margin-left:36.0pt'><i><span style='font-size:11.0pt;color:black'>3. Another type of hardware storage token with a unit design form factor of SD Card or USB token (not necessarily certified as conformant with FIPS 140 Level 2 or Common Criteria EAL 4+). The Subscriber MUST also warrant that it will keep the token physically separate from the device that hosts the code signing function until a signing session is begun. <o:p></o:p></span></i></p><p class=MsoNormal style='margin-left:36.0pt'><i><span style='color:black'>…<o:p></o:p></span></i></p><p class=MsoNormal style='margin-left:36.0pt'><span style='color:black'>“<o:p></o:p></span></p><p class=MsoNormal><span style='color:black'><o:p> </o:p></span></p><p class=MsoNormal><span style='color:black'>Actually, in many contexts and legislative requirements, the minimum security level for those PKI devices, whether they be HSM devices or smart cards, are indicated as either Common Criteria EAL4+ certified or equivalently FIPS PUB 140-2 Level 3 certified (<u>not</u> Level <u>2</u>). The corresponding requirement under section 16.3 of Code Signing BRs do not enforce that equivalency; i.e. it allows choosing a relatively lower level of security if FIPS certification is preferred. <o:p></o:p></span></p><p class=MsoNormal><span style='color:black'><o:p> </o:p></span></p><p class=MsoNormal><span style='color:black'>On the other hand, when I checked the EV Code Signing Guidelines again, I saw that only FIPS 140-2 Level 2 requirement is stated under section “16 Data Security”. When I first examined the EV Code Signing Guidelines draft, I thought Level 2 was deliberately selected by the WG for defining a certain level of security yet not limiting the hardware device options in the market for code signing services. That’s why, I hadn’t objected that requirement under EV Guidelines at that time.<o:p></o:p></span></p><p class=MsoNormal><span style='color:black'><o:p> </o:p></span></p><p class=MsoNormal><span style='color:black'>However, upon introducing a Common Criteria equivalency of EAL 4+ in the BRs now, I believe the security levels should also be equivalent (at least parallel, as equivalency of FIPS and Common Criteria security levels is sometimes arguable).<o:p></o:p></span></p><p class=MsoNormal><span style='color:black'><o:p> </o:p></span></p><p class=MsoNormal><span style='color:black'>Hence, what I would suggest is changing the requirement under section 16.3 of Code Signing BRs to “<b><u>FIPS 140-2 Level 3</u> or Common Criteria EAL 4+</b>” and reflecting this requirement similarly to the EV Code Signing Guidelines.<o:p></o:p></span></p><p class=MsoNormal><span style='color:black'><o:p> </o:p></span></p><p class=MsoNormal><span style='color:black'>I should probably have opened this discussion well before but I only recently noticed this specific issue. I hope it’s not too late to discuss, considering the ongoing ballot process…<o:p></o:p></span></p><p class=MsoNormal><span style='color:black'><o:p> </o:p></span></p><p class=MsoNormal><span style='color:black'>Best regards,<o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal><b><span lang=TR>N. Atilla BILER<o:p></o:p></span></b></p><p class=MsoNormal><b><span lang=TR>Business Development Manager / Advisor to R&D Center<o:p></o:p></span></b></p><p class=MsoNormal><b><span lang=TR>TURKTRUST Inc.<o:p></o:p></span></b></p><p class=MsoNormal><span lang=TR><o:p> </o:p></span></p><p class=MsoNormal><span lang=TR>Address: Hollanda Cad. 696.Sok. No:7 Yildiz 06550 Cankaya / ANKARA - TURKEY<o:p></o:p></span></p><p class=MsoNormal><span lang=TR>Phone : +90 (312) 439 10 00<o:p></o:p></span></p><p class=MsoNormal><span lang=TR>Mobile : +90 (530) 314 24 05<o:p></o:p></span></p><p class=MsoNormal><span lang=TR>Fax : +90 (312) 439 10 01<o:p></o:p></span></p><p class=MsoNormal><span lang=TR>E-mail : <a href="mailto:atilla.biler@turktrust.com.tr"><span style='color:windowtext'>atilla.biler@turktrust.com.tr</span></a> <o:p></o:p></span></p><p class=MsoNormal><span lang=TR>Web : <a href="http://www.turktrust.com.tr/"><span style='color:windowtext'>www.turktrust.com.tr</span></a> <o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span lang=TR style='color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span lang=TR style='color:#1F497D'><o:p> </o:p></span></p><div><div style='border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0cm 0cm 0cm'><p class=MsoNormal><b>From:</b> public-bounces@cabforum.org [mailto:public-bounces@cabforum.org] <b>On Behalf Of </b>Dean Coclin<br><b>Sent:</b> 3 Aralık 2015 Perşembe 23:24<br><b>To:</b> CABFPub <public@cabforum.org><br><b>Subject:</b> Re: [cabfpub] Ballot 158: Adopt Code Signing Baseline Requirements<o:p></o:p></p></div></div><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal><span style='color:#1F497D'>Adding public link to final version: </span><a href="https://cabforum.org/wp-content/uploads/Code-Signing-Requirements-2015-11-19.pdf">https://cabforum.org/wp-content/uploads/Code-Signing-Requirements-2015-11-19.pdf</a><span style='color:#1F497D'><o:p></o:p></span></p><p class=MsoNormal><span style='color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='color:#1F497D'><o:p> </o:p></span></p><div><div style='border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0cm 0cm 0cm'><p class=MsoNormal><b><span style='font-size:10.0pt;font-family:"Tahoma",sans-serif'>From:</span></b><span style='font-size:10.0pt;font-family:"Tahoma",sans-serif'> </span><a href="mailto:public-bounces@cabforum.org"><span style='font-size:10.0pt;font-family:"Tahoma",sans-serif'>public-bounces@cabforum.org</span></a><span style='font-size:10.0pt;font-family:"Tahoma",sans-serif'> [</span><a href="mailto:public-bounces@cabforum.org"><span style='font-size:10.0pt;font-family:"Tahoma",sans-serif'>mailto:public-bounces@cabforum.org</span></a><span style='font-size:10.0pt;font-family:"Tahoma",sans-serif'>] <b>On Behalf Of </b>Dean Coclin<br><b>Sent:</b> Thursday, December 03, 2015 4:04 PM<br><b>To:</b> CABFPub<br><b>Subject:</b> [cabfpub] Ballot 158: Adopt Code Signing Baseline Requirements<o:p></o:p></span></p></div></div><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>After a 2 week pre-ballot, the Code Signing Working Group has now prepared the formal ballot below:<o:p></o:p></p><p class=MsoNormal><u><o:p><span style='text-decoration:none'> </span></o:p></u></p><p class=MsoNormal><u>Ballot 158: Adopt Code Signing Baseline Requirements<o:p></o:p></u></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>The following motion is proposed by the Code Signing Working Group and is endorsed by Microsoft, Trend Micro and OATI. Further information on the ballot is in the email message below.<o:p></o:p></p><p class=line874><b><span style='font-size:11.0pt;font-family:"Calibri",sans-serif'>- - - - Motion for Ballot 158 - - - -<o:p></o:p></span></b></p><p class=line874><span style='font-size:11.0pt;font-family:"Calibri",sans-serif'>Be it resolved that the CA / Browser Forum adopts the recommendation of the Code Signing Working Group for Version 1.0 of the Baseline Requirements for Code Signing. Once adopted, the effective date will be October 1, 2016.<o:p></o:p></span></p><p class=line874><b><span style='font-size:11.0pt;font-family:"Calibri",sans-serif'>- - - - Motion Ends - - - -<o:p></o:p></span></b></p><p class=MsoNormal>The review period for this ballot shall commence at 2200 UTC on 3 Dec 2015, and will close at 2200 UTC on 10 Dec 2015. Unless the motion is withdrawn during the review period, the voting period will start immediately thereafter and will close at 2200 UTC on 17 Dec 2015. Votes must be cast by posting an on-list reply to this thread. <o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>A vote in favor of the motion must indicate a clear 'yes' in the response. A vote against must indicate a clear 'no' in the response. A vote to abstain must indicate a clear 'abstain' in the response. Unclear responses will not be counted. The latest vote received from any representative of a voting member before the close of the voting period will be counted. Voting members are listed here: <o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal><a href="https://cabforum.org/members/">https://cabforum.org/members/</a> <o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>In order for the motion to be adopted, two thirds or more of the votes cast by members in the CA category and greater than 50% of the votes cast by members in the browser category must be in favor. Quorum is currently nine (9) members– at least nine members must participate in the ballot, either by voting in favor, voting against, or abstaining.<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>Dean Coclin and Jeremy Rowley<o:p></o:p></p><p class=MsoNormal>Code Signing Working Group co-chairs<o:p></o:p></p><p class=MsoNormal><span style='color:#1F497D'><o:p> </o:p></span></p><div><div style='border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0cm 0cm 0cm'><p class=MsoNormal><b><span style='font-size:10.0pt;font-family:"Tahoma",sans-serif'>From:</span></b><span style='font-size:10.0pt;font-family:"Tahoma",sans-serif'> </span><a href="mailto:public-bounces@cabforum.org"><span style='font-size:10.0pt;font-family:"Tahoma",sans-serif'>public-bounces@cabforum.org</span></a><span style='font-size:10.0pt;font-family:"Tahoma",sans-serif'> [</span><a href="mailto:public-bounces@cabforum.org"><span style='font-size:10.0pt;font-family:"Tahoma",sans-serif'>mailto:public-bounces@cabforum.org</span></a><span style='font-size:10.0pt;font-family:"Tahoma",sans-serif'>] <b>On Behalf Of </b>Dean Coclin<br><b>Sent:</b> Thursday, November 19, 2015 2:01 PM<br><b>To:</b> CABFPub<br><b>Subject:</b> [cabfpub] Pre-Ballot: Code Signing Baseline Requirements<o:p></o:p></span></p></div></div><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>The Code Signing Working Group of the CA/Browser Forum has completed its work on Version 1 of the Code Signing Baseline Requirements. The Working Group has been meeting over the last 2+ years to develop and bring this topic to the Forum for approval. <o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>This Working Group was chartered by the Forum at the Mozilla face to face meeting in February 2013 and has brought together forum members and outside participants to craft a document which we believe will help improve the security of the ecosystem. Forum members in the working group include: Comodo, Digicert, Entrust, ETSI, Federal PKI, Firmaprofessional, Globalsign, Izenpe, Microsoft, Startcom, SwissSign, Symantec, Trend Micro, WoSign as well as non-members: Cacert, Intarsys, OTA, Richter, and Travelport. Also, there have been several public commenting periods which resulted in changes and revisions to the document. <o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>The stated goal of the group was to: “Create a set of baseline requirements for code signing that will reduce the incidence of signed malware”. We strived to work on 3 sub goals, which are by no means 100% solved. However we feel that the document reflects progress towards these goals which were:<o:p></o:p></p><p class=MsoListParagraph style='text-indent:-18.0pt;mso-list:l0 level1 lfo2'><![if !supportLists]><span style='mso-list:Ignore'>1.<span style='font:7.0pt "Times New Roman"'> </span></span><![endif]>Minimize private key theft by moving toward more secure key storage (protection of private keys)<o:p></o:p></p><p class=MsoListParagraph style='text-indent:-18.0pt;mso-list:l0 level1 lfo2'><![if !supportLists]><span style='mso-list:Ignore'>2.<span style='font:7.0pt "Times New Roman"'> </span></span><![endif]>Baseline authentication and vetting procedures for all parties<o:p></o:p></p><p class=MsoListParagraph style='text-indent:-18.0pt;mso-list:l0 level1 lfo2'><![if !supportLists]><span style='mso-list:Ignore'>3.<span style='font:7.0pt "Times New Roman"'> </span></span><![endif]>Information sharing (notification/revocation) for fraud detection. This piece was moved to the Information Sharing Working Group<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal><u>The document is now final and no further changes are being accepted</u>. Comments and suggestions will be accumulated for a future version of the document.<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>The group is seeking 2 endorsers for the ballot below:<o:p></o:p></p><p class=line874><b><span style='font-size:11.0pt;font-family:"Calibri",sans-serif'>- - - - Motion for Ballot XXX - - - -<o:p></o:p></span></b></p><p class=line874><span style='font-size:11.0pt;font-family:"Calibri",sans-serif'>Be it resolved that the CA / Browser Forum adopts the recommendation of the Code Signing Working Group for Version 1.0 of the Baseline Requirements for Code Signing. Once adopted the effective date will be October 1, 2016.<o:p></o:p></span></p><p class=line874><b><span style='font-size:11.0pt;font-family:"Calibri",sans-serif'>- - - - Motion Ends - - - -<o:p></o:p></span></b></p><p class=MsoNormal>The review period for this ballot shall commence at 2200 UTC on 3 Dec 2015, and will close at 2200 UTC on 10 Dec 2015. Unless the motion is withdrawn during the review period, the voting period will start immediately thereafter and will close at 2200 UTC on 17 Dec 2015. Votes must be cast by posting an on-list reply to this thread. <o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>A vote in favor of the motion must indicate a clear 'yes' in the response. A vote against must indicate a clear 'no' in the response. A vote to abstain must indicate a clear 'abstain' in the response. Unclear responses will not be counted. The latest vote received from any representative of a voting member before the close of the voting period will be counted. Voting members are listed here: <o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal><a href="https://cabforum.org/members/">https://cabforum.org/members/</a> <o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>In order for the motion to be adopted, two thirds or more of the votes cast by members in the CA category and greater than 50% of the votes cast by members in the browser category must be in favor. Quorum is currently nine (9) members– at least nine members must participate in the ballot, either by voting in favor, voting against, or abstaining.<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p></div></body></html>