[Cscwg-public] Code Signing Guidelines update v4

Dean Coclin dean.coclin at digicert.com
Fri May 1 10:56:06 MST 2020 

Thanks Bruce,

 

I think we should put a real effective date in or something like x days
after ballot approved. What do others think?

 

All-please review the document as well as the parking lot list. Did we miss
anything on that list? 

 

Thanks,

Dean

 

From: Cscwg-public <cscwg-public-bounces at cabforum.org> On Behalf Of Bruce
Morton via Cscwg-public
Sent: Friday, May 1, 2020 12:27 PM
To: cscwg-public at cabforum.org
Subject: [Cscwg-public] Code Signing Guidelines update v4

 

Here is an updated document. 

 

Some notes:

1.	Issues list below have been addressed based on our meeting on 23
April 2020
2.	Updates have been provided to sections 1 and 4
3.	Definition updates have been pushed through other sections
4.	Question - We have defined Effective Date as "The date this document
is adopted as a root store requirement by an Application Software Supplier."
Do we need this or should we put in a real date?
5.	New parking Lot item - Signing Service warranties should be
separated from the CA warranties

 

 

Thanks, Bruce.

 

From: Cscwg-public <cscwg-public-bounces at cabforum.org
<mailto:cscwg-public-bounces at cabforum.org> > On Behalf Of Bruce Morton via
Cscwg-public
Sent: Thursday, April 9, 2020 4:39 PM
To: cscwg-public at cabforum.org <mailto:cscwg-public at cabforum.org> 
Subject: [EXTERNAL][Cscwg-public] Code Signing Guidelines update v3

 

WARNING: This email originated outside of Entrust Datacard.
DO NOT CLICK links or attachments unless you trust the sender and know the
content is safe.

  _____  

Attached is the updated document based on today's meeting. I also updated
section 18 based on discussions with Dean.

 

Below are 2 lists. The Issues list are items which should be addressed
before finalizing the document. The Parking Lot list are items to either be
discussed or changes to be made after the merger has been completed.

 

Issues:

9.4 - Should the Signing Service Certificate maximum validity period be 39
months or 135 months? Or do we need a Non-EV and an EV Certificate
requirement?

Appendix A - Confirm the requirement for key size minimum of 3072-bit RSA
effective 1 January 2021, also applies to EV Code Signing Roots, EV
Subordinate CAs, EV Subscriber Certificates, EV Time-stamp CAs and EV
Time-stamp Certificates.

Appendix B 2.F - May EV Subordinate CA Certificates have EKUs which may
include documentSigning and emailProtection?

Appendix B 3.F - May EV Code Signing Certificates have EKUs which may
include documentSigning, lifetimeSigning, and emailProtection?

 

Parking Lot Items:

8.2 - For discussion, "Subsequent signature validation MAY ignore
revocation, especially if rejecting the Code will cause the device to fail
to boot."

8.5 - Do we need the Insurance requirement?

9.2.4 - Should we address including givenName and surName in certificates?

11.1.1 - Discuss item 4, "If the Subject's or Subject's Affiliate's, Parent
Company's, or Subsidiary Company's date of formation, as indicated by either
a QIIS or QGIS, was less than three years prior to the date of the
Certificate Request, verify the identity of the Certificate Requester."

11.1.2 - How to identify individuals working on open source code as part of
a consortium?

11.2 - Should EV Guidelines section 11.5 regarding Verified Method of
Communication be addressed?

11.5 - High risk certificate requests should either be removed or updated to
provide common methods for all CAs.

14 - Consolidate Employee and Third Party requirements for Non-EV and EV
Certificates.

15 - Consolidate Data Records for CAs, Signing Authorities, and Time-stamp
Authorities.

16.3 - Subscriber private key protection should be updated. Cloud-based key
protection should be considered.

17.1 - Review if special audit criteria is needed for Government CAs.

 

 

Thanks, Bruce.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/cscwg-public/attachments/20200501/02d7b8a7/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4916 bytes
Desc: not available
URL: <http://cabforum.org/pipermail/cscwg-public/attachments/20200501/02d7b8a7/attachment-0001.p7s>

More information about the Cscwg-public mailing list