[Cscwg-public] Proposal to make changes to revocation based on malware

Dimitris Zacharopoulos (HARICA) dzacharo at harica.gr
Thu Dec 15 13:26:40 UTC 2022



On 12/15/2022 11:59 AM, Martijn Katerbarg via Cscwg-public wrote:
>
> All,
>
> We had a good discussion on the malware proposal during the last call. 
> I believe we’re nearly there. Trevoli and Tim you had suggestions (and 
> thank you Dean for spelling it out in the minutes!) to make is more 
> clear and also allow for the exceptional cases where revoking a CS 
> cert would do more damage then not.
>
> Based on this, it seems we were leaning into making the following changes:
>
>
> Change:
>
>    a.  If the Subscriber responds within 72 hours, the CA and 
> Subscriber MAY determine a "reasonable date" to revoke the 
> certificate. The revocation date MUST NOT be more than 7 calendar days 
> after the CA received the Certificate Problem Report.
> Into:
>    a.  If the Subscriber responds within 72 hours, the CA MAY 
> determine a "reasonable date" to revoke the certificate. The CA:
>
>   * MUST revoke the certificate no later than 7 calendar days after
>     the CA received the Certificate Problem Report; or,
>   * MUST submit a plan for revocation to all Application Software
>     Suppliers based on discussions with the Subscriber no later than 7
>     calendar days after the CA received the Certificate Problem Report
>
>
> Thoughts on this?
> The one thought I have on this is, are Application Software Suppliers 
> (i.e Certificate Consumers, but that’s not a CSCBR defined term) 
> willing to take on these plans and provide responses to the CA?
> Cause if they don’t, it seems we again have a loop hole in which 
> revocation can be done much later based upon subscriber request…
>

I have the same concerns with the second bullet. And how do we determine 
"all" Suppliers? CAs have no visibility on Relying Party software.

I believe that the reason to "contact negatively-affected Application 
Software Suppliers" is to determine the proper "reasonable date" that 
would invalidate the malware signatures and not affect other "good 
signatures" that would have a significant impact on Relying Parties. If 
there is no response from the Application Software Supplier, the CA 
should revoke with a "reasonable date" based on its investigation at the 
time.

Please take a look at the following proposal. I'd appreciate feedback 
and language improvements to describe the process accurately and safely 
in order to protect Relying Parties from executing Suspect Code as much 
as possible. Worse case, CAs will revoke the Certificate with a 
revocation date set at the time of the revocation event which does not 
affect any previously signed code, including the Suspect Code which will 
be executed successfully by Relying Parties even after the revocation of 
the Certificate.


        /4.9.1.3 Revocation Based on Reported or Detected Compromise or
        Use in Suspect Code/

//

/Except for cases that fall under Section 4.9.1.1, if, while 
investigating a Certificate Problem Report, the CA determines the 
Subscriber's Private Key is compromised or likely being used for Suspect 
Code, the CA SHALL revoke the corresponding Code Signing Certificate in 
accordance with and within the following maximum time frames. Nothing 
herein prohibits a CA from revoking a Code Signing Certificate prior to 
these time frames./

//

 1. /The CA SHALL contact the Subscriber within 24 hours after the CA
    received the Certificate Problem Report, notifying that the
    Certificate is scheduled to be revoked with a //revocation date set
    before the time that the //Private Key became compromised or likely
    used to sign Suspect Code//. This revocation date is set in the past
    to prevent Relying Parties from executing Suspect Code signed with
    the affected Code Signing Certificate.//
    /
 2. /The CA SHALL request the Subscriber to respond with an impact
    assessment of affected Relying Parties if the revocation date is set
    before the time //that the Private Key became compromised or likely
    used to sign Suspect Code//, and to state the associated Application
    Software Supplier(s)./
 3. /The CA SHALL request the Subscriber to respond to the CA within 72
    hours of the CA sending the notification. //
    /
 4. /If the Subscriber responds within 72 hours, //then based on the
    Subscriber's impact assessment:/
     1. /the CA MAY submit a revocation plan to associated Application
        Software Suppliers no later than 7 calendar days after the CA
        received the Certificate Problem Report. The revocation plan:/
         1. /SHALL contain informing about the planned revocation date
            to be set for the to-be-revoked Certificate; and
            /
         2. /SHALL request suggestions for a "more appropriate"
            revocation date in case the proposed revocation date has a
            significant impact on Relying Parties associated with that
            particular Application Software Supplier.
            /
         3. /The CA SHALL request the Application Software Supplier to
            respond within 72 hours./
     2. /Based on the feedback received, the CA MAY determine a more
        appropriate revocation date to be associated with the revocation
        of the Certificate.
        /
     3. /The CA SHALL revoke the Certificate within 7 days after the CA
        received the Certificate Problem Report./
 5. /If the CA does not receive a response from the Subscriber, then the
    CA SHALL revoke the Certificate within 24 hours from the end of the
    response period./

//

/A CA revoking a Certificate because the Certificate was associated with 
signed Suspect Code or other fraudulent or illegal conduct SHOULD 
provide all relevant information and risk indicators to other CAs, 
Application Software Suppliers, or industry groups. The CA SHOULD 
contact the Application Software Suppliers within 24 hours after the CA 
received the Certificate Problem Report./


Thanks,
Dimitris.
>
> Note: I won’t be able to attend todays call, but feel free to discuss.
>
> *From:*Cscwg-public <cscwg-public-bounces at cabforum.org> *On Behalf Of 
> *Dimitris Zacharopoulos (HARICA) via Cscwg-public
> *Sent:* Tuesday, 29 November 2022 10:13
> *To:* cscwg-public at cabforum.org
> *Subject:* Re: [Cscwg-public] Proposal to make changes to revocation 
> based on malware
>
> CAUTION: This email originated from outside of the organization. Do 
> not click links or open attachments unless you recognize the sender 
> and know the content is safe.
>
> On 28/11/2022 2:50 μ.μ., Martijn Katerbarg via Cscwg-public wrote:
>
>     All,
>
>     I just pushed a new commit
>     (https://github.com/cabforum/code-signing/pull/10/commits/8e7e3b4e57960994edea267f0e753358aad99574
>     <https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fcabforum%2Fcode-signing%2Fpull%2F10%2Fcommits%2F8e7e3b4e57960994edea267f0e753358aad99574&data=05%7C01%7Cmartijn.katerbarg%40sectigo.com%7Cee10ae0f48cb421db09d08dad1e9e14a%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C638053099701739229%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=fmMYctSwa7cKcJfXrsPDsXKb7nVhgwyjxRSeVfVDnsA%3D&reserved=0>)
>     based on the discussions and comments I’ve had and received.
>
>     The complete ballot “redline” in GitHub is available for review on
>     https://github.com/cabforum/code-signing/pull/10/files
>     <https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fcabforum%2Fcode-signing%2Fpull%2F10%2Ffiles&data=05%7C01%7Cmartijn.katerbarg%40sectigo.com%7Cee10ae0f48cb421db09d08dad1e9e14a%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C638053099701739229%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=1QRqX6%2BKdD03PVCikpIDCWswDsidAowjcZSiQVzEMQs%3D&reserved=0>
>
>
> If the CA confirms that a Subscriber has signed "Suspect Code", how 
> would the group feel with a proposal to require CAs to *backdate 
> revoke* the Code Signing Certificate to a date and time that would 
> neutralize the Suspect Code? If this date and time is unlikely to be 
> determined, backdate revoke 1'' after the notBefore date and time of 
> the Code Signing Certificate?
>
>
> Thanks,
> Dimitris.
>
>
>
>     *From:*Cscwg-public <cscwg-public-bounces at cabforum.org>
>     <mailto:cscwg-public-bounces at cabforum.org> *On Behalf Of *Martijn
>     Katerbarg via Cscwg-public
>     *Sent:* Monday, 26 September 2022 11:58
>     *To:* Dimitris Zacharopoulos (HARICA) <dzacharo at harica.gr>
>     <mailto:dzacharo at harica.gr>; cscwg-public at cabforum.org
>     *Subject:* Re: [Cscwg-public] Proposal to make changes to
>     revocation based on malware
>
>     CAUTION: This email originated from outside of the organization.
>     Do not click links or open attachments unless you recognize the
>     sender and know the content is safe.
>
>     Thank you Dimitris. That makes sense. I’ve pushed an update to the
>     draft-PR
>
>     *From:*Cscwg-public <cscwg-public-bounces at cabforum.org> *On Behalf
>     Of *Dimitris Zacharopoulos (HARICA) via Cscwg-public
>     *Sent:* Friday, 23 September 2022 18:47
>     *To:* cscwg-public at cabforum.org
>     *Subject:* Re: [Cscwg-public] Proposal to make changes to
>     revocation based on malware
>
>     CAUTION: This email originated from outside of the organization.
>     Do not click links or open attachments unless you recognize the
>     sender and know the content is safe.
>
>     I posted some proposed changes for consistency and accuracy.
>
>      1. https://github.com/cabforum/code-signing/pull/10#pullrequestreview-1118760785
>         <https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fcabforum%2Fcode-signing%2Fpull%2F10%23pullrequestreview-1118760785&data=05%7C01%7Cmartijn.katerbarg%40sectigo.com%7Cee10ae0f48cb421db09d08dad1e9e14a%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C638053099701739229%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=wO9AcofaTO8v%2FAESDc1gkugp4%2BpY70Sy1ijeptjsKwQ%3D&reserved=0>
>
>
>     Thanks,
>     Dimitris.
>
>     On 23/9/2022 3:55 μ.μ., Bruce Morton via Cscwg-public wrote:
>
>         Hi Martjin,
>
>         I will endorse the ballot.
>
>         Thanks, Bruce.
>
>         *From:*Cscwg-public <cscwg-public-bounces at cabforum.org>
>         <mailto:cscwg-public-bounces at cabforum.org> *On Behalf Of
>         *Martijn Katerbarg via Cscwg-public
>         *Sent:* Friday, September 23, 2022 3:44 AM
>         *To:* cscwg-public at cabforum.org
>         *Subject:* [EXTERNAL] Re: [Cscwg-public] Proposal to make
>         changes to revocation based on malware
>
>         WARNING: This email originated outside of Entrust.
>         DO NOT CLICK links or attachments unless you trust the sender
>         and know the content is safe.
>
>         ------------------------------------------------------------------------
>
>         All,
>
>         As discussed on yesterdays call, the latest changes which Tim
>         and I were discussing are pushed into Github.
>
>         The complete change can be found at
>         https://github.com/cabforum/code-signing/pull/10/files
>         <https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fcabforum%2Fcode-signing%2Fpull%2F10%2Ffiles&data=05%7C01%7Cmartijn.katerbarg%40sectigo.com%7Cee10ae0f48cb421db09d08dad1e9e14a%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C638053099701739229%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=1QRqX6%2BKdD03PVCikpIDCWswDsidAowjcZSiQVzEMQs%3D&reserved=0>
>         for review.
>
>         Bruce, Ian, since I earlier had your endorsements, please let
>         me know if they still stand. The changes since the
>         endorsements, are captured in
>         https://github.com/cabforum/code-signing/pull/10/commits/90fa38ab4dc5e5f9b25fce844b750d693f7256b7
>         <https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fcabforum%2Fcode-signing%2Fpull%2F10%2Fcommits%2F90fa38ab4dc5e5f9b25fce844b750d693f7256b7&data=05%7C01%7Cmartijn.katerbarg%40sectigo.com%7Cee10ae0f48cb421db09d08dad1e9e14a%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C638053099701739229%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=Re1gbjxP7wuNZ7kScmID7HWlXgU0LW%2BnAepjnyWQ1q0%3D&reserved=0>
>
>         If there are no other comments, then hopefully we can start a
>         ballot process on this.
>
>
>         Regards,
>
>         Martijn
>
>         *From:*Cscwg-public <cscwg-public-bounces at cabforum.org> *On
>         Behalf Of *Martijn Katerbarg via Cscwg-public
>         *Sent:* Tuesday, 19 July 2022 09:22
>         *To:* Tim Hollebeek <tim.hollebeek at digicert.com>;
>         cscwg-public at cabforum.org
>         *Subject:* Re: [Cscwg-public] Proposal to make changes to
>         revocation based on malware
>
>         CAUTION: This email originated from outside of the
>         organization. Do not click links or open attachments unless
>         you recognize the sender and know the content is safe.
>
>         Thanks Tim,
>
>          1. What is the motivation for allowing a waiver if approved
>             by just “at least one” of the stakeholders, instead of all
>             of them?
>          2. I’m a bit concerned that language might be increasingly
>             troublesome as we continue to expand the scope and
>             participation of this group.
>
>         I believe it might be difficult to get approval from all
>         stakeholders within a certain amount of time, meaning the CA
>         would possibly never get all approvals, and never be able to
>         utilize the waiver.
>
>         Considering that signed code is often (but not exclusively)
>         targeted for a specific platform, stakeholders of other
>         platforms might not be inclined to give approval for something
>         that does not even affect them.
>
>         I do share your concern, but I also don’t see a better path
>         towards the same goal.
>
>          3. Similarly, I’m unsure how I feel about making compliance
>             distinctions based on whether a particular root program
>             has decided to have a contractual relationship with its
>             issuers or not.  That seems like an implementation detail
>             of the relationship that the guidelines should remain
>             silent on.  But I appreciate what that definition is
>             intended to do, and would like to perhaps find a different
>             way to express the same intent.
>
>         Good point, and maybe the word “contract” is too much here?
>
>         Although I would note this language is already part of the
>         “Certificate Beneficiaries” definition right now.
>
>         I’m open for a different suggestion
>
>         *From:*Tim Hollebeek <tim.hollebeek at digicert.com>
>         *Sent:* Friday, 15 July 2022 18:18
>         *To:* Martijn Katerbarg <martijn.katerbarg at sectigo.com>;
>         cscwg-public at cabforum.org
>         *Subject:* RE: [Cscwg-public] Proposal to make changes to
>         revocation based on malware
>
>         CAUTION: This email originated from outside of the
>         organization. Do not click links or open attachments unless
>         you recognize the sender and know the content is safe.
>
>         What is the motivation for allowing a waiver if approved by
>         just “at least one” of the stakeholders, instead of all of them?
>
>         I’m a bit concerned that language might be increasingly
>         troublesome as we continue to expand the scope and
>         participation of this group.
>
>         Similarly, I’m unsure how I feel about making compliance
>         distinctions based on whether a particular root program has
>         decided to have a contractual relationship with its issuers or
>         not.  That seems like an implementation detail of the
>         relationship that the guidelines should remain silent on.  But
>         I appreciate what that definition is intended to do, and would
>         like to perhaps find a different way to express the same intent.
>
>         -Tim
>
>         *From:*Cscwg-public <cscwg-public-bounces at cabforum.org> *On
>         Behalf Of *Martijn Katerbarg via Cscwg-public
>         *Sent:* Monday, June 27, 2022 10:04 AM
>         *To:* cscwg-public at cabforum.org
>         *Subject:* [Cscwg-public] Proposal to make changes to
>         revocation based on malware
>
>         All,
>
>         As already hinted during the last meeting during the F2F, Ian
>         and I, have been working on a proposal affecting the
>         guidelines regarding malware based revocation.
>
>         The intent of this change is to:
>
>          1. Limit the number of days before a certificate needs to be
>             revoked, especially when the subscriber is not responding
>             to inquiries
>          2. Remove the OCSP log analysis requirements
>          3. Simplify the process that has to be followed
>
>         I have attached 3 documents: one with the current language,
>         one with the proposed language, as well as a redlined version.
>
>         The changes have been made based on upcoming version 3.0 of
>         the CSCBRs. In case you wish to compare with version 2.8, the
>         relevant section is 13.1.5.3. Besides to that section, there
>         is also a change to the “Suspect Code” definition, as well as
>         a new definition in the proposal.
>
>         Once PR6
>         <https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fcabforum%2Fcode-signing%2Fpull%2F6&data=05%7C01%7Cmartijn.katerbarg%40sectigo.com%7Cee10ae0f48cb421db09d08dad1e9e14a%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C638053099701739229%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=YSpntkoKs70SbIFR%2FmTBQsrIdysIb4vtkHe9LyPhk80%3D&reserved=0>
>         has been merged, I will also prepare the changes in GIT for
>         those that prefer comparing there.
>
>         Looking forward to comments to this and move towards a
>         potential ballot.
>
>         Regards,
>
>         Martijn
>
>         /Any email and files/attachments transmitted with it are
>         confidential and are intended solely for the use of the
>         individual or entity to whom they are addressed. If this
>         message has been sent to you in error, you must not copy,
>         distribute or disclose of the information it contains. _Please
>         notify Entrust immediately_ and delete the message from your
>         system./
>
>         _______________________________________________
>
>         Cscwg-public mailing list
>
>         Cscwg-public at cabforum.org
>
>         https://lists.cabforum.org/mailman/listinfo/cscwg-public
>         <https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.cabforum.org%2Fmailman%2Flistinfo%2Fcscwg-public&data=05%7C01%7Cmartijn.katerbarg%40sectigo.com%7Cee10ae0f48cb421db09d08dad1e9e14a%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C638053099701739229%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=yvT%2FQrC0bJJ5uaO%2BFwQWsu4toMrodl752Tv39xs2caQ%3D&reserved=0>
>
>
>
>     _______________________________________________
>
>     Cscwg-public mailing list
>
>     Cscwg-public at cabforum.org
>
>     https://lists.cabforum.org/mailman/listinfo/cscwg-public  <https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.cabforum.org%2Fmailman%2Flistinfo%2Fcscwg-public&data=05%7C01%7Cmartijn.katerbarg%40sectigo.com%7Cee10ae0f48cb421db09d08dad1e9e14a%7C0e9c48946caa465d96604b6968b49fb7%7C0%7C0%7C638053099701739229%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=yvT%2FQrC0bJJ5uaO%2BFwQWsu4toMrodl752Tv39xs2caQ%3D&reserved=0>
>
>
> _______________________________________________
> Cscwg-public mailing list
> Cscwg-public at cabforum.org
> https://lists.cabforum.org/mailman/listinfo/cscwg-public
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/cscwg-public/attachments/20221215/a7010415/attachment-0001.html>


More information about the Cscwg-public mailing list