[Cscwg-public] Code Signing Dedicated Root

Adriano Santoni adriano.santoni at staff.aruba.it
Wed Apr 14 11:56:33 UTC 2021 

Me too

+1

Il 14/04/2021 00:10, Ian McMillan via Cscwg-public ha scritto:
>
> I am very much supportive of this TS CSBR compliant OID and getting it 
> added.
>
> Thanks,
>
> Ian
>
> *From:* Bruce Morton <Bruce.Morton at entrust.com>
> *Sent:* Tuesday, April 13, 2021 8:09 AM
> *To:* Corey Bonnell <Corey.Bonnell at digicert.com>; 
> cscwg-public at cabforum.org; Ian McMillan <ianmcm at microsoft.com>
> *Subject:* [EXTERNAL] RE: Code Signing Dedicated Root
>
> Should we first have the OID approved and designated by the CAB Forum?
>
> Bruce.
>
> *From:* Corey Bonnell <Corey.Bonnell at digicert.com 
> <mailto:Corey.Bonnell at digicert.com>>
> *Sent:* Tuesday, April 13, 2021 11:07 AM
> *To:* Bruce Morton <Bruce.Morton at entrust.com 
> <mailto:Bruce.Morton at entrust.com>>; cscwg-public at cabforum.org 
> <mailto:cscwg-public at cabforum.org>; Ian McMillan <ianmcm at microsoft.com 
> <mailto:ianmcm at microsoft.com>>
> *Subject:* [EXTERNAL] RE: Code Signing Dedicated Root
>
> WARNING: This email originated outside of Entrust.
> DO NOT CLICK links or attachments unless you trust the sender and know 
> the content is safe.
>
> ------------------------------------------------------------------------
>
> Hi Bruce,
>
> I think this OID looks good; adding a requirement for Timestamp 
> Certificates to assert this OID should be a simple modification of 
> 9.3.1. I’d be happy to draft the update if someone can send me the 
> “master copy” of the Word doc for the current version of the CSBRs.
>
> Thanks,
>
> Corey
>
> *From:* Cscwg-public <cscwg-public-bounces at cabforum.org 
> <mailto:cscwg-public-bounces at cabforum.org>> *On Behalf Of *Bruce 
> Morton via Cscwg-public
> *Sent:* Monday, April 12, 2021 10:30 AM
> *To:* Ian McMillan <ianmcm at microsoft.com 
> <mailto:ianmcm at microsoft.com>>; cscwg-public at cabforum.org 
> <mailto:cscwg-public at cabforum.org>
> *Subject:* Re: [Cscwg-public] Code Signing Dedicated Root
>
> Another action is that we should create a timestamping certificate 
> policy OID to add to into the timestamping certificates, where the OID 
> is referenced from the CSBRs. This would mean that any timestamping 
> certificate with this OID would meet the requirements of the CSBRs.
>
> If agreed, I suggest: */codesigning-requirements(4) timestamp(2) — 
> 2.23.140.1.4.2  (Timestamp Certificate issued in compliance with the 
> Code Signing Baseline Requirements)/*
>
> Bruce.
>
> *From:* Ian McMillan <ianmcm at microsoft.com <mailto:ianmcm at microsoft.com>>
> *Sent:* Wednesday, March 17, 2021 4:10 PM
> *To:* Bruce Morton <Bruce.Morton at entrust.com 
> <mailto:Bruce.Morton at entrust.com>>; cscwg-public at cabforum.org 
> <mailto:cscwg-public at cabforum.org>
> *Subject:* [EXTERNAL] RE: Code Signing Dedicated Root
>
> WARNING: This email originated outside of Entrust.
> DO NOT CLICK links or attachments unless you trust the sender and know 
> the content is safe.
>
> ------------------------------------------------------------------------
>
> Thank you Bruce!
>
> This is a great subject to bring forward, and one that has been on my 
> mind as well (especially after Ryan’s presentation at the last F2F).
>
> Cheers,
>
> Ian
>
> *From:* Cscwg-public <cscwg-public-bounces at cabforum.org 
> <mailto:cscwg-public-bounces at cabforum.org>> *On Behalf Of *Bruce 
> Morton via Cscwg-public
> *Sent:* Wednesday, March 17, 2021 12:44 PM
> *To:* cscwg-public at cabforum.org <mailto:cscwg-public at cabforum.org>
> *Subject:* [EXTERNAL] [Cscwg-public] Code Signing Dedicated Root
>
> Based on the F2F discussion of dedicated PKI hierarchy for TLS and 
> S/MIME, I think we should also discuss for Code Signing.
>
> My understanding is that the direction is to have 1) one policy, 2) 
> one (or more) dedicated hierarchies to support the policy, and 3) one 
> audit.
>
> The good news is the CSWG is ready going in the right direction. We 
> have created one policy per the CSBRs which cover non-EV/EV code 
> signing certificates and the associated time-stamping certificates. In 
> addition, WebTrust has created one audit criteria, which would be able 
> to cover dedicated roots, subordinates CAs and subscriber certificates
>
> To address a dedicated hierarchy for Code Signing, a simple 
> implementation would be:
>
>   * One RSA root (or ECC root) for non-EV codesigning, EV code signing
>     and time-stamping subordinate CAs, and associated subscriber
>     certificates
>   * The hierarchy is to support the policy associated with only the
>     CSBRs only and would not by other requirements which would impact
>     the CSBR policy
>   * Subscriber certificates would have the applicable CA/Browser Forum
>     certificate policy OID to indicate they were issued iaw the CSBRs
>
> I have thought about other requirements for a Time-stamping dedicated 
> root and hierarchy. As Time-stamping only is out of scope for the 
> CSWG, I think we can only address time-stamping as it applies to code 
> signing certificates per the CSBRs. I also think that a single root to 
> cover both code signing and time-stamping would make it easier for 
> ubiquity and for end user validation of signatures.
>
> Regarding testing of roots, the CSBRs refer to SSL BR Appendix C. This 
> is an incorrect reference as the requirement is now in SSL BR 2.2, 
> which states:
>
> “The CA SHALL host test Web pages that allow Application Software 
> Suppliers to test their software with Subscriber Certificates that 
> chain up to each publicly trusted Root Certificate. At a minimum, the 
> CA SHALL host separate Web pages using Subscriber Certificates that 
> are (i) valid, (ii) revoked, and (iii) expired.”
>
> With a dedicated hierarchy which only issues code signing and 
> time-stamping certificates, we cannot issue SSL certificates for Web 
> pages. This only works now as we use multi-purpose roots. I think we 
> should change this requirement or allow an option, where the CA must 
> post on a test-site, signed/time-stamped code where the certificates 
> were issued from Subordinate CAs which were issued from the Root being 
> tested.
>
> Since we are in the early phase of moving to 4096-bit RSA CAs for code 
> signing, it would be great if we can agree as to what would be 
> acceptable for dedicated hierarchy with the goal of getting this right 
> from the beginning.
>
> Thanks, Bruce.
>
>
> _______________________________________________
> Cscwg-public mailing list
> Cscwg-public at cabforum.org
> https://lists.cabforum.org/mailman/listinfo/cscwg-public
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/cscwg-public/attachments/20210414/3401cc8d/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4557 bytes
Desc: Firma crittografica S/MIME
URL: <http://lists.cabforum.org/pipermail/cscwg-public/attachments/20210414/3401cc8d/attachment-0001.p7s>

More information about the Cscwg-public mailing list