[cabfpub] EV Code Signing maximum validity

i-barreira at izenpe.net i-barreira at izenpe.net
Mon Apr 15 07:27:09 UTC 2013

I don´t mind 27 or 39 moths (even in the "guidelines for the issuance and management of extended validation code signing certificates" version 1.1 says in section 9.4 "validity period not exceeding 39 months") but these certs have to be issued in hardware tokens (smartcards or USB tokens) and these hardware tokens should have a minimum requirements. In the EU, most of the CAs that issue certs are familiar with these hardware tokens and impose some requirements to be provided. Recently I launched a public tender with some requirements for smartcards and USB tokens (if someone wants to have nightmares I can provide it) and one of the requisites is that the private key can´t be exported anyhow (this is not new, it´s commonly used) and all the "signing" process is done in the smartcard.

-----Mensaje original-----
De: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] En nombre de Rob Stradling
Enviado el: viernes, 12 de abril de 2013 21:24
Para: public at cabforum.org
Asunto: Re: [cabfpub] EV Code Signing maximum validity

On 12/04/13 18:56, Eddy Nigg (StartCom Ltd.) wrote:
> On 04/12/2013 03:22 PM, From Rich Smith:
>> If that is indeed the case, and in the interest of consistency, how 
>> would the members feel about lifting the 27 month restriction on EV 
>> SSL certificates and settling on 39 month restriction across the 
>> board.  If it is determined that moving to a 39 month restriction for 
>> EV SSL is not acceptable, then IMO EV Code Signing should also be 
>> restricted to 27 months.
> I believe it should be 27 month the most - but perhaps remove the 
> hardware token requirement for those certificates which hinders 
> currently adoption for such certificates.

Jeremy wrote "The risk with long-term EV Code Signing certs is primarily a loss of the private key, which is why we required a hardware token."

I have to agree that "loss of the private key" is a significant problem. 
  For example, an article published yesterday [1] claims that:
   "At least 35 gaming developers involved in the MMORPG field (Massive Multi-Player Online Role Playing Games) have been hacked in the last year-and-a-half by the so-called Winnti group, with one of the primary goals being to steal their digital certificates to use in other attacks".

If the private keys of these gaming companies had been held in hardware tokens, the attackers presumably would've been unable to steal the keys by hacking the systems remotely.  Instead, they would've had the harder job of somehow stealing the actual hardware tokens.

[1] http://www.wired.com/threatlevel/2013/04/gaming-company-certs-stolen/

Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online
Public mailing list
Public at cabforum.org

More information about the Public mailing list