[cabfpub] EV Code Signing maximum validity

Jeremy Rowley jeremy.rowley at digicert.com
Fri Apr 12 13:32:30 UTC 2013

39 months was not an arbitrary decision. EV code singing was set at 39
months because it required the use of a hardware token. This raised the cost
and difficulty in using a code signing certificate.  Because of that, the
Forum decided to extend the lifecycle of EV Code signing by one year.  


In addition, the risks behind a code signing certificate are difficult.  The
risk with long-term EV Code Signing certs is primarily  a loss of the
private key, which is why we required a hardware token. The risk with a
long-term EV SSL Cert is a change in the domain owner.  When this happens,
the old owner can use the cert to conduct a MITM attack.  To reduce this
likelihood and ensure that the domain remains associated with the correct
entity, the lifecycle was set for 27 months, with a strong recommendation
that all EV Certs be 12 month certs.  Because the risks are different, the
certificates need different lifecycles.




From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] On
Behalf Of Rich Smith
Sent: Friday, April 12, 2013 8:59 PM
To: ben at digicert.com; public at cabforum.org
Subject: Re: [cabfpub] EV Code Signing maximum validity



We could leave it alone, but IMO there are several compelling reasons not
to, and really no good reason that we should.  


A code signing cert is a higher risk product than an SSL cert, especially
one labeled as EV.  At least the EV SSL is tied to a specific FQDN.  An EV
Code Signing cert can sign code that shows up anywhere, is very portable and
can be stolen and put to fraudulent use much more easily.  As such if only
one is going to be allowed a 39 month validity, I would be MUCH more
inclined to allow that for an EV SSL than an EV Code Signing cert.    IMO
the decision to allow longer validity for EV Code Signing just doesn't add
up unless the decision is that a 39 month limit is deemed good enough across
the board.


If 39 months was not really discussed and a conscious decision made that it
was enough, then this would appear to be an arbitrary decision, that just
didn't get picked up until now, and to my mind that's an even better reason
to fix it.


I also think that since both are labeled as EV the standards between them
SHOULD be consistent where ever possible and unless there is a VERY
compelling reason for them to be, so as to maintain clarity of purpose to
Forum members, non-member CAs and to the public at large.




From: Ben Wilson [mailto:ben at digicert.com] 
Sent: Friday, April 12, 2013 8:41 AM
To: richard.smith at comodo.com; public at cabforum.org
Subject: RE: [cabfpub] EV Code Signing maximum validity


Or we could leave them "as is", since code signing and SSL are certificates
used for different purposes.


From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] On
Behalf Of Rich Smith
Sent: Friday, April 12, 2013 6:22 AM
To: public at cabforum.org
Subject: [cabfpub] EV Code Signing maximum validity


In preparing to begin issuing EV Code Signing certificates, we noticed that
the maximum validity for EV Code Signing is 39 months as per the BRs, not 27
months as per the EV Guidelines.


My guess is that this is due to the fact that the EV Guidelines maximum
validity was set before there were any other rules in place limiting the
validity of certificates, but that since the EV Code Signing guidelines were
put in place after the BRs had set max validity to 39 months that it was
determined that the BR limit was enough.


If that is indeed the case, and in the interest of consistency, how would
the members feel about lifting the 27 month restriction on EV SSL
certificates and settling on 39 month restriction across the board.  If it
is determined that moving to a 39 month restriction for EV SSL is not
acceptable, then IMO EV Code Signing should also be restricted to 27 months.




Rich Smith

Validation Manager


 <http://www.comodo.com/> http://www.comodo.com



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20130412/482fd66a/attachment-0003.html>

More information about the Public mailing list