[Cscwg-public] Code Signing Guidelines update v4

Bruce Morton Bruce.Morton at entrustdatacard.com
Fri May 1 12:01:41 MST 2020 

The issue with the Effective Date is it pertains to the date that the original Minimum Requirements for Code Signing Certificates became effective from the date that Microsoft put into their policy.

The Effective Date is only called out 3 times and basically states that certificates issued after that date need to conform to the requirements. Since we did not impact the certificate configuration, we can either use the old date OR just remove the references to effective date and put an effective date in the ballot for the new document.

Bruce.

From: Dean Coclin <dean.coclin at digicert.com>
Sent: Friday, May 1, 2020 1:56 PM
To: Bruce Morton <Bruce.Morton at entrustdatacard.com>; cscwg-public at cabforum.org
Subject: [EXTERNAL]RE: Code Signing Guidelines update v4

Thanks Bruce,

I think we should put a real effective date in or something like x days after ballot approved. What do others think?

All-please review the document as well as the parking lot list. Did we miss anything on that list?

Thanks,
Dean

From: Cscwg-public <cscwg-public-bounces at cabforum.org<mailto:cscwg-public-bounces at cabforum.org>> On Behalf Of Bruce Morton via Cscwg-public
Sent: Friday, May 1, 2020 12:27 PM
To: cscwg-public at cabforum.org<mailto:cscwg-public at cabforum.org>
Subject: [Cscwg-public] Code Signing Guidelines update v4

Here is an updated document.

Some notes:

  1.  Issues list below have been addressed based on our meeting on 23 April 2020
  2.  Updates have been provided to sections 1 and 4
  3.  Definition updates have been pushed through other sections
  4.  Question - We have defined Effective Date as "The date this document is adopted as a root store requirement by an Application Software Supplier." Do we need this or should we put in a real date?
  5.  New parking Lot item - Signing Service warranties should be separated from the CA warranties


Thanks, Bruce.

From: Cscwg-public <cscwg-public-bounces at cabforum.org<mailto:cscwg-public-bounces at cabforum.org>> On Behalf Of Bruce Morton via Cscwg-public
Sent: Thursday, April 9, 2020 4:39 PM
To: cscwg-public at cabforum.org<mailto:cscwg-public at cabforum.org>
Subject: [EXTERNAL][Cscwg-public] Code Signing Guidelines update v3

WARNING: This email originated outside of Entrust Datacard.
DO NOT CLICK links or attachments unless you trust the sender and know the content is safe.
________________________________
Attached is the updated document based on today's meeting. I also updated section 18 based on discussions with Dean.

Below are 2 lists. The Issues list are items which should be addressed before finalizing the document. The Parking Lot list are items to either be discussed or changes to be made after the merger has been completed.

Issues:
9.4 - Should the Signing Service Certificate maximum validity period be 39 months or 135 months? Or do we need a Non-EV and an EV Certificate requirement?
Appendix A - Confirm the requirement for key size minimum of 3072-bit RSA effective 1 January 2021, also applies to EV Code Signing Roots, EV Subordinate CAs, EV Subscriber Certificates, EV Time-stamp CAs and EV Time-stamp Certificates.
Appendix B 2.F - May EV Subordinate CA Certificates have EKUs which may include documentSigning and emailProtection?
Appendix B 3.F - May EV Code Signing Certificates have EKUs which may include documentSigning, lifetimeSigning, and emailProtection?

Parking Lot Items:
8.2 - For discussion, "Subsequent signature validation MAY ignore revocation, especially if rejecting the Code will cause the device to fail to boot."
8.5 - Do we need the Insurance requirement?
9.2.4 - Should we address including givenName and surName in certificates?
11.1.1 - Discuss item 4, "If the Subject's or Subject's Affiliate's, Parent Company's, or Subsidiary Company's date of formation, as indicated by either a QIIS or QGIS, was less than three years prior to the date of the Certificate Request, verify the identity of the Certificate Requester."
11.1.2 - How to identify individuals working on open source code as part of a consortium?
11.2 - Should EV Guidelines section 11.5 regarding Verified Method of Communication be addressed?
11.5 - High risk certificate requests should either be removed or updated to provide common methods for all CAs.
14 - Consolidate Employee and Third Party requirements for Non-EV and EV Certificates.
15 - Consolidate Data Records for CAs, Signing Authorities, and Time-stamp Authorities.
16.3 - Subscriber private key protection should be updated. Cloud-based key protection should be considered.
17.1 - Review if special audit criteria is needed for Government CAs.


Thanks, Bruce.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/cscwg-public/attachments/20200501/2b63bcb7/attachment.html>

More information about the Cscwg-public mailing list