[cabfpub] EV Code Signing maximum validity

Rob Stradling rob.stradling at comodo.com
Fri Apr 12 19:23:39 UTC 2013

On 12/04/13 18:56, Eddy Nigg (StartCom Ltd.) wrote:
> On 04/12/2013 03:22 PM, From Rich Smith:
>> If that is indeed the case, and in the interest of consistency, how
>> would the members feel about lifting the 27 month restriction on EV
>> SSL certificates and settling on 39 month restriction across the
>> board.  If it is determined that moving to a 39 month restriction for
>> EV SSL is not acceptable, then IMO EV Code Signing should also be
>> restricted to 27 months.
> I believe it should be 27 month the most - but perhaps remove the
> hardware token requirement for those certificates which hinders
> currently adoption for such certificates.

Jeremy wrote "The risk with long-term EV Code Signing certs is primarily 
a loss of the private key, which is why we required a hardware token."

I have to agree that "loss of the private key" is a significant problem. 
  For example, an article published yesterday [1] claims that:
   "At least 35 gaming developers involved in the MMORPG field (Massive 
Multi-Player Online Role Playing Games) have been hacked in the last 
year-and-a-half by the so-called Winnti group, with one of the primary 
goals being to steal their digital certificates to use in other attacks".

If the private keys of these gaming companies had been held in hardware 
tokens, the attackers presumably would've been unable to steal the keys 
by hacking the systems remotely.  Instead, they would've had the harder 
job of somehow stealing the actual hardware tokens.

[1] http://www.wired.com/threatlevel/2013/04/gaming-company-certs-stolen/

Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online

More information about the Public mailing list