[Cscwg-public] Proposal to make changes to revocation based on malware

Martijn Katerbarg martijn.katerbarg at sectigo.com
Thu Dec 15 09:59:36 UTC 2022


All,

 

We had a good discussion on the malware proposal during the last call. I believe we’re nearly there. Trevoli and Tim you had suggestions (and thank you Dean for spelling it out in the minutes!) to make is more clear and also allow for the exceptional cases where revoking a CS cert would do more damage then not. 

Based on this, it seems we were leaning into making the following changes:


Change:

   a.  If the Subscriber responds within 72 hours, the CA and Subscriber MAY determine a "reasonable date" to revoke the certificate. The revocation date MUST NOT be more than 7 calendar days after the CA received the Certificate Problem Report.
Into:
   a.  If the Subscriber responds within 72 hours, the CA MAY determine a "reasonable date" to revoke the certificate. The CA:

*	MUST revoke the certificate no later than 7 calendar days after the CA received the Certificate Problem Report; or,
*	MUST submit a plan for revocation to all Application Software Suppliers based on discussions with the Subscriber no later than 7 calendar days after the CA received the Certificate Problem Report

 


Thoughts on this?
The one thought I have on this is, are Application Software Suppliers (i.e Certificate Consumers, but that’s not a CSCBR defined term) willing to take on these plans and provide responses to the CA? 
Cause if they don’t, it seems we again have a loop hole in which revocation can be done much later based upon subscriber request…

 

 

Note: I won’t be able to attend todays call, but feel free to discuss.

 

 

From: Cscwg-public <cscwg-public-bounces at cabforum.org> On Behalf Of Dimitris Zacharopoulos (HARICA) via Cscwg-public
Sent: Tuesday, 29 November 2022 10:13
To: cscwg-public at cabforum.org
Subject: Re: [Cscwg-public] Proposal to make changes to revocation based on malware

 

CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe.

 

On 28/11/2022 2:50 μ.μ., Martijn Katerbarg via Cscwg-public wrote:

All, 

 

I just pushed a new commit (https://github.com/cabforum/code-signing/pull/10/commits/8e7e3b4e57960994edea267f0e753358aad99574 <https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fcabforum%2Fcode-signing%2Fpull%2F10%2Fcommits%2F8e7e3b4e57960994edea267f0e753358aad99574&data=05%7C01%7Cmartijn.katerbarg%40sectigo.com%7Cee10ae0f48cb421db09d08dad1e9e14a%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C638053099701739229%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=fmMYctSwa7cKcJfXrsPDsXKb7nVhgwyjxRSeVfVDnsA%3D&reserved=0> ) based on the discussions and comments I’ve had and received. 

 

The complete ballot “redline” in GitHub is available for review on https://github.com/cabforum/code-signing/pull/10/files <https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fcabforum%2Fcode-signing%2Fpull%2F10%2Ffiles&data=05%7C01%7Cmartijn.katerbarg%40sectigo.com%7Cee10ae0f48cb421db09d08dad1e9e14a%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C638053099701739229%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=1QRqX6%2BKdD03PVCikpIDCWswDsidAowjcZSiQVzEMQs%3D&reserved=0> 


If the CA confirms that a Subscriber has signed "Suspect Code", how would the group feel with a proposal to require CAs to backdate revoke the Code Signing Certificate to a date and time that would neutralize the Suspect Code? If this date and time is unlikely to be determined, backdate revoke 1'' after the notBefore date and time of the Code Signing Certificate?


Thanks,
Dimitris.





 

 

 

From: Cscwg-public  <mailto:cscwg-public-bounces at cabforum.org> <cscwg-public-bounces at cabforum.org> On Behalf Of Martijn Katerbarg via Cscwg-public
Sent: Monday, 26 September 2022 11:58
To: Dimitris Zacharopoulos (HARICA)  <mailto:dzacharo at harica.gr> <dzacharo at harica.gr>; cscwg-public at cabforum.org <mailto:cscwg-public at cabforum.org> 
Subject: Re: [Cscwg-public] Proposal to make changes to revocation based on malware

 

CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe.

 

Thank you Dimitris. That makes sense. I’ve pushed an update to the draft-PR

 

From: Cscwg-public <cscwg-public-bounces at cabforum.org <mailto:cscwg-public-bounces at cabforum.org> > On Behalf Of Dimitris Zacharopoulos (HARICA) via Cscwg-public
Sent: Friday, 23 September 2022 18:47
To: cscwg-public at cabforum.org <mailto:cscwg-public at cabforum.org> 
Subject: Re: [Cscwg-public] Proposal to make changes to revocation based on malware

 

CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe.

 

I posted some proposed changes for consistency and accuracy.

1.	https://github.com/cabforum/code-signing/pull/10#pullrequestreview-1118760785 <https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fcabforum%2Fcode-signing%2Fpull%2F10%23pullrequestreview-1118760785&data=05%7C01%7Cmartijn.katerbarg%40sectigo.com%7Cee10ae0f48cb421db09d08dad1e9e14a%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C638053099701739229%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=wO9AcofaTO8v%2FAESDc1gkugp4%2BpY70Sy1ijeptjsKwQ%3D&reserved=0> 


Thanks,
Dimitris.

On 23/9/2022 3:55 μ.μ., Bruce Morton via Cscwg-public wrote:

Hi Martjin,

 

I will endorse the ballot.

 

Thanks, Bruce.

 

From: Cscwg-public  <mailto:cscwg-public-bounces at cabforum.org> <cscwg-public-bounces at cabforum.org> On Behalf Of Martijn Katerbarg via Cscwg-public
Sent: Friday, September 23, 2022 3:44 AM
To: cscwg-public at cabforum.org <mailto:cscwg-public at cabforum.org> 
Subject: [EXTERNAL] Re: [Cscwg-public] Proposal to make changes to revocation based on malware

 

WARNING: This email originated outside of Entrust.
DO NOT CLICK links or attachments unless you trust the sender and know the content is safe.


  _____  


All,

 

As discussed on yesterdays call, the latest changes which Tim and I were discussing are pushed into Github. 

 

The complete change can be found at https://github.com/cabforum/code-signing/pull/10/files <https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fcabforum%2Fcode-signing%2Fpull%2F10%2Ffiles&data=05%7C01%7Cmartijn.katerbarg%40sectigo.com%7Cee10ae0f48cb421db09d08dad1e9e14a%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C638053099701739229%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=1QRqX6%2BKdD03PVCikpIDCWswDsidAowjcZSiQVzEMQs%3D&reserved=0>  for review.

 

Bruce, Ian, since I earlier had your endorsements, please let me know if they still stand. The changes since the endorsements, are captured in https://github.com/cabforum/code-signing/pull/10/commits/90fa38ab4dc5e5f9b25fce844b750d693f7256b7 <https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fcabforum%2Fcode-signing%2Fpull%2F10%2Fcommits%2F90fa38ab4dc5e5f9b25fce844b750d693f7256b7&data=05%7C01%7Cmartijn.katerbarg%40sectigo.com%7Cee10ae0f48cb421db09d08dad1e9e14a%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C638053099701739229%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=Re1gbjxP7wuNZ7kScmID7HWlXgU0LW%2BnAepjnyWQ1q0%3D&reserved=0> 

 

If there are no other comments, then hopefully we can start a ballot process on this.


Regards,

Martijn

 

 

From: Cscwg-public <cscwg-public-bounces at cabforum.org <mailto:cscwg-public-bounces at cabforum.org> > On Behalf Of Martijn Katerbarg via Cscwg-public
Sent: Tuesday, 19 July 2022 09:22
To: Tim Hollebeek <tim.hollebeek at digicert.com <mailto:tim.hollebeek at digicert.com> >; cscwg-public at cabforum.org <mailto:cscwg-public at cabforum.org> 
Subject: Re: [Cscwg-public] Proposal to make changes to revocation based on malware

 

CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe.

 

Thanks Tim,

 

1.	What is the motivation for allowing a waiver if approved by just “at least one” of the stakeholders, instead of all of them?
2.	I’m a bit concerned that language might be increasingly troublesome as we continue to expand the scope and participation of this group.

 

I believe it might be difficult to get approval from all stakeholders within a certain amount of time, meaning the CA would possibly never get all approvals, and never be able to utilize the waiver.  

 

Considering that signed code is often (but not exclusively) targeted for a specific platform, stakeholders of other platforms might not be inclined to give approval for something that does not even affect them.  

 

I do share your concern, but I also don’t see a better path towards the same goal.

 

3.	Similarly, I’m unsure how I feel about making compliance distinctions based on whether a particular root program has decided to have a contractual relationship with its issuers or not.  That seems like an implementation detail of the relationship that the guidelines should remain silent on.  But I appreciate what that definition is intended to do, and would like to perhaps find a different way to express the same intent.

 

Good point, and maybe the word “contract” is too much here?

Although I would note this language is already part of the “Certificate Beneficiaries” definition right now.

 

I’m open for a different suggestion 

 

From: Tim Hollebeek <tim.hollebeek at digicert.com <mailto:tim.hollebeek at digicert.com> > 
Sent: Friday, 15 July 2022 18:18
To: Martijn Katerbarg <martijn.katerbarg at sectigo.com <mailto:martijn.katerbarg at sectigo.com> >; cscwg-public at cabforum.org <mailto:cscwg-public at cabforum.org> 
Subject: RE: [Cscwg-public] Proposal to make changes to revocation based on malware

 

CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe.

 

What is the motivation for allowing a waiver if approved by just “at least one” of the stakeholders, instead of all of them?

 

I’m a bit concerned that language might be increasingly troublesome as we continue to expand the scope and participation of this group.

 

Similarly, I’m unsure how I feel about making compliance distinctions based on whether a particular root program has decided to have a contractual relationship with its issuers or not.  That seems like an implementation detail of the relationship that the guidelines should remain silent on.  But I appreciate what that definition is intended to do, and would like to perhaps find a different way to express the same intent.

 

-Tim

 

From: Cscwg-public <cscwg-public-bounces at cabforum.org <mailto:cscwg-public-bounces at cabforum.org> > On Behalf Of Martijn Katerbarg via Cscwg-public
Sent: Monday, June 27, 2022 10:04 AM
To: cscwg-public at cabforum.org <mailto:cscwg-public at cabforum.org> 
Subject: [Cscwg-public] Proposal to make changes to revocation based on malware

 

All,

 

As already hinted during the last meeting during the F2F, Ian and I, have been working on a proposal affecting the guidelines regarding malware based revocation.

 

The intent of this change is to:

1.	Limit the number of days before a certificate needs to be revoked, especially when the subscriber is not responding to inquiries
2.	Remove the OCSP log analysis requirements
3.	Simplify the process that has to be followed

 

I have attached 3 documents: one with the current language, one with the proposed language, as well as a redlined version.

 

The changes have been made based on upcoming version 3.0 of the CSCBRs. In case you wish to compare with version 2.8, the relevant section is 13.1.5.3. Besides to that section, there is also a change to the “Suspect Code” definition, as well as a new definition in the proposal.

Once PR6 <https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fcabforum%2Fcode-signing%2Fpull%2F6&data=05%7C01%7Cmartijn.katerbarg%40sectigo.com%7Cee10ae0f48cb421db09d08dad1e9e14a%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C638053099701739229%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=YSpntkoKs70SbIFR%2FmTBQsrIdysIb4vtkHe9LyPhk80%3D&reserved=0>  has been merged, I will also prepare the changes in GIT for those that prefer comparing there.

 

Looking forward to comments to this and move towards a potential ballot.

Regards,

Martijn

Any email and files/attachments transmitted with it are confidential and are intended solely for the use of the individual or entity to whom they are addressed. If this message has been sent to you in error, you must not copy, distribute or disclose of the information it contains. Please notify Entrust immediately and delete the message from your system. 

_______________________________________________
Cscwg-public mailing list
Cscwg-public at cabforum.org <mailto:Cscwg-public at cabforum.org> 
https://lists.cabforum.org/mailman/listinfo/cscwg-public <https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.cabforum.org%2Fmailman%2Flistinfo%2Fcscwg-public&data=05%7C01%7Cmartijn.katerbarg%40sectigo.com%7Cee10ae0f48cb421db09d08dad1e9e14a%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C638053099701739229%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=yvT%2FQrC0bJJ5uaO%2BFwQWsu4toMrodl752Tv39xs2caQ%3D&reserved=0> 

 





_______________________________________________
Cscwg-public mailing list
Cscwg-public at cabforum.org <mailto:Cscwg-public at cabforum.org> 
https://lists.cabforum.org/mailman/listinfo/cscwg-public <https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.cabforum.org%2Fmailman%2Flistinfo%2Fcscwg-public&data=05%7C01%7Cmartijn.katerbarg%40sectigo.com%7Cee10ae0f48cb421db09d08dad1e9e14a%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C638053099701739229%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=yvT%2FQrC0bJJ5uaO%2BFwQWsu4toMrodl752Tv39xs2caQ%3D&reserved=0> 

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/cscwg-public/attachments/20221215/b86ec394/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 6827 bytes
Desc: not available
URL: <http://lists.cabforum.org/pipermail/cscwg-public/attachments/20221215/b86ec394/attachment-0001.p7s>


More information about the Cscwg-public mailing list