[cabfpub] Code Signing Baseline Requirements - Public Draft
Ryan Sleevi
sleevi at google.com
Mon Aug 25 15:45:54 MST 2014
On Mon, Aug 25, 2014 at 1:29 PM, Jeremy Rowley <jeremy.rowley at digicert.com>
wrote:
> Hi everyone,
>
>
>
> In 2013, the CA/Browser Forum voted to create a Code Signing Working Group
> whose sole purpose was to come up with a set of Baseline Requirements for
> the issuance of Code Signing Certificates. The result of that effort is
> enclosed. Once approved by the CA/B Forum and subsequent audit standards
> are created, all Certificate Authorities will be obligated to follow these
> Requirements when issuing and managing code signing certificates.
>
>
>
> The goals of this project and resulting document are as follows:
>
> 1. Create uniform identification and vetting procedures that all
> Certificate Authorities must follow when issuing code signing certificates
>
> 2. Identify ways to stop the theft of private keys and prevent key
> compromise by increasing the required levels of key protection
>
> 3. Identify origins of malware (geographic and otherwise) and
> implement procedures to reduce the incidence of signed malware
>
> 4. Document standards for code signing “services” which store
> private code-signing keys in cloud-based service offerings
>
>
>
> Although it may seem that the biggest beneficiaries of these guidelines
> will be large operating system vendors that utilize code signing
> certificates, the public as a whole will benefit from a reduced incidence
> of malware on their systems and devices. We urge users, the software
> development industry, and operating system platforms to carefully review
> this document and provide comments to the CA/B Forum by October 30, 2014.
> The Working Group will review every comment for incorporation into the
> final draft. Comments should be sent to questions at cabforum.org.
>
>
> Thanks,
> The Code Signing Working Group
>
>
>
> _______________________________________________
> Public mailing list
> Public at cabforum.org
> https://cabforum.org/mailman/listinfo/public
>
>
Jeremy, members of the Code Signing WG,
Thank you for putting together this document. I'm sure it represents a
significant amount of time, effort and discussion to come to this current
state. However, as we've expressed in the past, Google has serious
reservations endorsing this as a publication of the CA/Browser Forum, and
would like to encourage members to contemplate other options for
publication. If it were to be put towards a Forum vote for adoption, we
would be opposed.
A non-exhaustive list of reasons for this objection includes:
- These Requirements are only relevant to applications that rely on
publicly-trusted certificates for Code Signing. As many CAs are aware, this
model is not the model of most modern code signing systems, including
Apple's iOS and OS X platforms, Mozilla's Firefox extensions mechanisms, or
Google's Android and Chrome platforms. In practice, and as reflected in the
WG membership, this is largely constrained to Microsoft's requirements. For
a document that strives to benefit "large operating system vendors that
utilize code signing certificates," it only affects one in practice, and
that's seriously concerning.
- In order to be relevant and applicable to other platforms that may
wish to delegate their security to third-parties such as CAs, it will
require a rechartering of the CA/Browser Forum to permit the inclusion of
these vendors in the activities and meetings of the Forum. As reflected in
the very name itself, we believe that the CA/Browser Forum is best suited
as a collaboration of CAs and Browsers. If CAs wish to work with other ISVs
for the development of common criteria for code-signing, we would like to
suggest that a different, separate forum be established.
- Although the EV Code Signing Guidelines are already a work product of
the Forum, we have still expressed our concerns in the past regarding that
document as well. Absent multiple ISVs having been involved in drafting and
committing to adopting these guidelines, we feel that such documents may be
disproportionately affected by the participating CAs, to the detriment of
non-participants. Similar to our concerns here, we feel it's best if the EV
Code Signing Guidelines were best transitioned away from the Forum, in
order to reflect their specific limitations, relevance, and applicability
to the Microsoft Root Program.
I hope that the CAs that participated in the work group, as well as
Microsoft, are able to channel this momentum into a productive effort
outside of the Forum. For example, these requirements may very likely be
better expressed simply as Microsoft's requirements for participants in
their Code Signing Program.
All the best,
Adam, Chris, and Ryan, on behalf of Google
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://cabforum.org/pipermail/public/attachments/20140825/bd6423ed/attachment-0001.html
More information about the Public
mailing list