[cabfpub] Code Signing Baseline Requirements - Public Draft

Ryan Sleevi sleevi at google.com
Mon Aug 25 15:45:54 MST 2014

On Mon, Aug 25, 2014 at 1:29 PM, Jeremy Rowley <jeremy.rowley at digicert.com>

>  Hi everyone,
> In 2013, the CA/Browser Forum voted to create a Code Signing Working Group
> whose sole purpose was to come up with a set of Baseline Requirements for
> the issuance of Code Signing Certificates. The result of that effort is
> enclosed. Once approved by the CA/B Forum and subsequent audit standards
> are created, all Certificate Authorities will be obligated to follow these
> Requirements when issuing and managing code signing certificates.
> The goals of this project and resulting document are as follows:
> 1.      Create uniform identification and vetting procedures that all
> Certificate Authorities must follow when issuing code signing certificates
> 2.      Identify ways to stop the theft of private keys and prevent key
> compromise by increasing the required levels of key protection
> 3.      Identify origins of malware (geographic and otherwise) and
> implement procedures to reduce the incidence of signed malware
> 4.      Document standards for code signing “services” which store
> private code-signing keys in cloud-based service offerings
> Although it may seem that the biggest beneficiaries of these guidelines
> will be large operating system vendors that utilize code signing
> certificates, the public as a whole will benefit from a reduced incidence
> of malware on their systems and devices. We urge users, the software
> development industry, and operating system platforms to carefully review
> this document and provide comments to the CA/B Forum by October 30, 2014.
> The Working Group will review every comment for incorporation into the
> final draft.  Comments should be sent to questions at cabforum.org.
> Thanks,
> The Code Signing Working Group
> _______________________________________________
> Public mailing list
> Public at cabforum.org
> https://cabforum.org/mailman/listinfo/public
Jeremy, members of the Code Signing WG,

Thank you for putting together this document. I'm sure it represents a
significant amount of time, effort and discussion to come to this current
state. However, as we've expressed in the past, Google has serious
reservations endorsing this as a publication of the CA/Browser Forum, and
would like to encourage members to contemplate other options for
publication. If it were to be put towards a Forum vote for adoption, we
would be opposed.

A non-exhaustive list of reasons for this objection includes:

   - These Requirements are only relevant to applications that rely on
   publicly-trusted certificates for Code Signing. As many CAs are aware, this
   model is not the model of most modern code signing systems, including
   Apple's iOS and OS X platforms, Mozilla's Firefox extensions mechanisms, or
   Google's Android and Chrome platforms. In practice, and as reflected in the
   WG membership, this is largely constrained to Microsoft's requirements. For
   a document that strives to benefit "large operating system vendors that
   utilize code signing certificates," it only affects one in practice, and
   that's seriously concerning.
   - In order to be relevant and applicable to other platforms that may
   wish to delegate their security to third-parties such as CAs, it will
   require a rechartering of the CA/Browser Forum to permit the inclusion of
   these vendors in the activities and meetings of the Forum. As reflected in
   the very name itself, we believe that the CA/Browser Forum is best suited
   as a collaboration of CAs and Browsers. If CAs wish to work with other ISVs
   for the development of common criteria for code-signing, we would like to
   suggest that a different, separate forum be established.
   - Although the EV Code Signing Guidelines are already a work product of
   the Forum, we have still expressed our concerns in the past regarding that
   document as well. Absent multiple ISVs having been involved in drafting and
   committing to adopting these guidelines, we feel that such documents may be
   disproportionately affected by the participating CAs, to the detriment of
   non-participants. Similar to our concerns here, we feel it's best if the EV
   Code Signing Guidelines were best transitioned away from the Forum, in
   order to reflect their specific limitations, relevance, and applicability
   to the Microsoft Root Program.

I hope that the CAs that participated in the work group, as well as
Microsoft, are able to channel this momentum into a productive effort
outside of the Forum. For example, these requirements may very likely be
better expressed simply as Microsoft's requirements for participants in
their Code Signing Program.

All the best,
Adam, Chris, and Ryan, on behalf of Google
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://cabforum.org/pipermail/public/attachments/20140825/bd6423ed/attachment-0001.html 

More information about the Public mailing list