[cabfpub] EV Code Signing maximum validity

Jeremy Rowley jeremy.rowley at digicert.com
Mon Apr 15 08:51:59 MST 2013

There are minimum requirements for the hardware token.  Section 16 specifies
that hardware tokens must be FIPS 140-2 Level 2 or the equivalent. 


-----Original Message-----
From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] On
Behalf Of i-barreira at izenpe.net
Sent: Monday, April 15, 2013 3:27 PM
To: rob.stradling at comodo.com; public at cabforum.org
Subject: Re: [cabfpub] EV Code Signing maximum validity

I don´t mind 27 or 39 moths (even in the "guidelines for the issuance and
management of extended validation code signing certificates" version 1.1
says in section 9.4 "validity period not exceeding 39 months") but these
certs have to be issued in hardware tokens (smartcards or USB tokens) and
these hardware tokens should have a minimum requirements. In the EU, most of
the CAs that issue certs are familiar with these hardware tokens and impose
some requirements to be provided. Recently I launched a public tender with
some requirements for smartcards and USB tokens (if someone wants to have
nightmares I can provide it) and one of the requisites is that the private
key can´t be exported anyhow (this is not new, it´s commonly used) and all
the "signing" process is done in the smartcard.

-----Mensaje original-----
De: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] En
nombre de Rob Stradling Enviado el: viernes, 12 de abril de 2013 21:24
Para: public at cabforum.org
Asunto: Re: [cabfpub] EV Code Signing maximum validity

On 12/04/13 18:56, Eddy Nigg (StartCom Ltd.) wrote:
> On 04/12/2013 03:22 PM, From Rich Smith:
>> If that is indeed the case, and in the interest of consistency, how 
>> would the members feel about lifting the 27 month restriction on EV 
>> SSL certificates and settling on 39 month restriction across the 
>> board.  If it is determined that moving to a 39 month restriction for 
>> EV SSL is not acceptable, then IMO EV Code Signing should also be 
>> restricted to 27 months.
> I believe it should be 27 month the most - but perhaps remove the 
> hardware token requirement for those certificates which hinders 
> currently adoption for such certificates.

Jeremy wrote "The risk with long-term EV Code Signing certs is primarily a
loss of the private key, which is why we required a hardware token."

I have to agree that "loss of the private key" is a significant problem. 
  For example, an article published yesterday [1] claims that:
   "At least 35 gaming developers involved in the MMORPG field (Massive
Multi-Player Online Role Playing Games) have been hacked in the last
year-and-a-half by the so-called Winnti group, with one of the primary goals
being to steal their digital certificates to use in other attacks".

If the private keys of these gaming companies had been held in hardware
tokens, the attackers presumably would've been unable to steal the keys by
hacking the systems remotely.  Instead, they would've had the harder job of
somehow stealing the actual hardware tokens.

[1] http://www.wired.com/threatlevel/2013/04/gaming-company-certs-stolen/

Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online
Public mailing list
Public at cabforum.org
Public mailing list
Public at cabforum.org

More information about the Public mailing list