[Cscwg-public] Code Signing Guidelines update v5

Bruce Morton Bruce.Morton at entrustdatacard.com
Thu May 7 12:18:24 MST 2020


Attached are the redline and the clean draft of the Code Signing Baseline Requirements (CSBRs).

I addressed the effective date, but since the text said "after", I stated "after 31 January 2017."

Here are the Parking Lot items.
7.2 - Signing Service warranties should be separated from the CA warranties
8.2 - For discussion, "Subsequent signature validation MAY ignore revocation, especially if rejecting the Code will cause the device to fail to boot."
8.5 - Do we need the Insurance requirement?
9.2.4 - Should we address including givenName and surName in certificates?
11.1.1 - Discuss item 4, "If the Subject's or Subject's Affiliate's, Parent Company's, or Subsidiary Company's date of formation, as indicated by either a QIIS or QGIS, was less than three years prior to the date of the Certificate Request, verify the identity of the Certificate Requester."
11.1.2 - How to identify individuals working on open source code as part of a consortium?
11.2 - Should EV Guidelines section 11.5 regarding Verified Method of Communication be addressed?
11.5 - High risk certificate requests should either be removed or updated to provide common methods for all CAs.
14 - Consolidate Employee and Third Party requirements for Non-EV and EV Certificates.
15 - Consolidate Data Records for CAs, Signing Authorities, and Time-stamp Authorities.
16.3 - Subscriber private key protection should be updated. Cloud-based key protection should be considered.
17.1 - Review if special audit criteria is needed for Government CAs.

I will post the documents and the parking lot items to https://wiki.cabforum.org/cscwg/start.


Thanks, Bruce.

From: Cscwg-public <cscwg-public-bounces at cabforum.org> On Behalf Of Bruce Morton via Cscwg-public
Sent: Friday, May 1, 2020 12:27 PM
To: cscwg-public at cabforum.org
Subject: [EXTERNAL][Cscwg-public] Code Signing Guidelines update v4

WARNING: This email originated outside of Entrust Datacard.
DO NOT CLICK links or attachments unless you trust the sender and know the content is safe.
________________________________
Here is an updated document.

Some notes:

  1.  Issues list below have been addressed based on our meeting on 23 April 2020
  2.  Updates have been provided to sections 1 and 4
  3.  Definition updates have been pushed through other sections
  4.  Question - We have defined Effective Date as "The date this document is adopted as a root store requirement by an Application Software Supplier." Do we need this or should we put in a real date?
  5.  New parking Lot item - Signing Service warranties should be separated from the CA warranties


Thanks, Bruce.

From: Cscwg-public <cscwg-public-bounces at cabforum.org<mailto:cscwg-public-bounces at cabforum.org>> On Behalf Of Bruce Morton via Cscwg-public
Sent: Thursday, April 9, 2020 4:39 PM
To: cscwg-public at cabforum.org<mailto:cscwg-public at cabforum.org>
Subject: [EXTERNAL][Cscwg-public] Code Signing Guidelines update v3

WARNING: This email originated outside of Entrust Datacard.
DO NOT CLICK links or attachments unless you trust the sender and know the content is safe.
________________________________
Attached is the updated document based on today's meeting. I also updated section 18 based on discussions with Dean.

Below are 2 lists. The Issues list are items which should be addressed before finalizing the document. The Parking Lot list are items to either be discussed or changes to be made after the merger has been completed.

Issues:
9.4 - Should the Signing Service Certificate maximum validity period be 39 months or 135 months? Or do we need a Non-EV and an EV Certificate requirement?
Appendix A - Confirm the requirement for key size minimum of 3072-bit RSA effective 1 January 2021, also applies to EV Code Signing Roots, EV Subordinate CAs, EV Subscriber Certificates, EV Time-stamp CAs and EV Time-stamp Certificates.
Appendix B 2.F - May EV Subordinate CA Certificates have EKUs which may include documentSigning and emailProtection?
Appendix B 3.F - May EV Code Signing Certificates have EKUs which may include documentSigning, lifetimeSigning, and emailProtection?

Parking Lot Items:
8.2 - For discussion, "Subsequent signature validation MAY ignore revocation, especially if rejecting the Code will cause the device to fail to boot."
8.5 - Do we need the Insurance requirement?
9.2.4 - Should we address including givenName and surName in certificates?
11.1.1 - Discuss item 4, "If the Subject's or Subject's Affiliate's, Parent Company's, or Subsidiary Company's date of formation, as indicated by either a QIIS or QGIS, was less than three years prior to the date of the Certificate Request, verify the identity of the Certificate Requester."
11.1.2 - How to identify individuals working on open source code as part of a consortium?
11.2 - Should EV Guidelines section 11.5 regarding Verified Method of Communication be addressed?
11.5 - High risk certificate requests should either be removed or updated to provide common methods for all CAs.
14 - Consolidate Employee and Third Party requirements for Non-EV and EV Certificates.
15 - Consolidate Data Records for CAs, Signing Authorities, and Time-stamp Authorities.
16.3 - Subscriber private key protection should be updated. Cloud-based key protection should be considered.
17.1 - Review if special audit criteria is needed for Government CAs.


Thanks, Bruce.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/cscwg-public/attachments/20200507/90261c36/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Baseline and EV Requirements for the Issuance and Management of Code Signing v5 - redline.docx
Type: application/vnd.openxmlformats-officedocument.wordprocessingml.document
Size: 134708 bytes
Desc: Baseline and EV Requirements for the Issuance and Management of Code Signing v5 - redline.docx
URL: <http://cabforum.org/pipermail/cscwg-public/attachments/20200507/90261c36/attachment-0002.docx>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Baseline and EV Requirements for the Issuance and Management of Code Signing v5.docx
Type: application/vnd.openxmlformats-officedocument.wordprocessingml.document
Size: 118026 bytes
Desc: Baseline and EV Requirements for the Issuance and Management of Code Signing v5.docx
URL: <http://cabforum.org/pipermail/cscwg-public/attachments/20200507/90261c36/attachment-0003.docx>


More information about the Cscwg-public mailing list