[cabfpub] [cabfc_s] Code Signing Baseline Requirements

Rich Smith richard.smith at comodo.com
Thu Aug 13 13:23:53 UTC 2015 

OK, thanks Dean.  It seemed like it had been further back than February, 
and I was concerned that perhaps the document had undergone significant 
changes since the public review.  That seems not to be the case, so I'm 
fine with moving forward.
-Rich

On 8/12/2015 5:10 PM, Dean Coclin wrote:
>
> Hi Rich,
>
> Yes, we did put out a version for public comment in February. We took 
> those comments back along with others that surfaced during the 
> re-review process and have come out with this document. So technically 
> this is not another review period. Having said that, we never say no 
> to any comments which the group feels need to be addressed.
>
> Dean
>
> *From:*Jody Cloutier [mailto:jodycl at microsoft.com]
> *Sent:* Wednesday, August 12, 2015 12:00 PM
> *To:* Ben Wilson; richard.smith at comodo.com; Dean Coclin; 'CABFPub'
> *Cc:* codesigning at cabforum.org
> *Subject:* RE: [cabfpub] [cabfc_s] Code Signing Baseline Requirements
>
> What is the purpose of the additional review period? Are we accepting 
> modifications during this timeframe?
>
> *From:* public-bounces at cabforum.org 
> <mailto:public-bounces at cabforum.org> 
> [mailto:public-bounces at cabforum.org] *On Behalf Of *Ben Wilson
> *Sent:* Wednesday, August 12, 2015 8:58 AM
> *To:* richard.smith at comodo.com <mailto:richard.smith at comodo.com>; 
> 'Dean Coclin' <Dean_Coclin at symantec.com 
> <mailto:Dean_Coclin at symantec.com>>; 'CABFPub' <public at cabforum.org 
> <mailto:public at cabforum.org>>
> *Cc:* codesigning at cabforum.org <mailto:codesigning at cabforum.org>
> *Subject:* Re: [cabfpub] [cabfc_s] Code Signing Baseline Requirements
>
> I think we've already done that, unless you're suggesting that we go 
> out for another 30-day review period.  It would be good to map out 
> proposed dates when everything is supposed to occur.
>
> *From:* codesigning-bounces at cabforum.org 
> <mailto:codesigning-bounces at cabforum.org> 
> [mailto:codesigning-bounces at cabforum.org] *On Behalf Of *Rich Smith
> *Sent:* Wednesday, August 12, 2015 9:48 AM
> *To:* 'Dean Coclin' <Dean_Coclin at symantec.com 
> <mailto:Dean_Coclin at symantec.com>>; 'CABFPub' <public at cabforum.org 
> <mailto:public at cabforum.org>>
> *Cc:* codesigning at cabforum.org <mailto:codesigning at cabforum.org>
> *Subject:* Re: [cabfc_s] [cabfpub] Code Signing Baseline Requirements
>
> Dean said:
>
> The Working Group would like to have the Forum approve these Baseline 
> Requirements by ballot which will be put forth at the next 
> teleconference. Discussion will start at that time, followed by a 
> formal vote.
>
> Dean, as this is an entirely new full set of guidelines, this seems 
> fast for a ballot and vote.  With the BRs as I recall, we circulated 
> to the public and had, I believe, a 30 day public comment period, 
> after which time it was brought back in house to address any issues 
> before being then proposed for final ballot review and approval.  
> Shouldn't we do the same here?
>
> -Rich
>
> *From:*public-bounces at cabforum.org 
> <mailto:public-bounces at cabforum.org> 
> [mailto:public-bounces at cabforum.org] *On Behalf Of *Dean Coclin
> *Sent:* Tuesday, August 11, 2015 4:31 PM
> *To:* CABFPub
> *Cc:* codesigning at cabforum.org <mailto:codesigning at cabforum.org>
> *Subject:* [cabfpub] Code Signing Baseline Requirements
>
> The Code Signing Working Group of the CA/Browser Forum is pleased to 
> announce the release of the final version of the Code Signing Baseline 
> Requirements. The Working Group has been meeting over the last 2 years 
> to develop and bring this topic to the Forum for approval.
>
> The Working Group would like to have the Forum approve these Baseline 
> Requirements by ballot which will be put forth at the next 
> teleconference. Discussion will start at that time, followed by a 
> formal vote.
>
> This Working Group was chartered by the Forum at the Mozilla face to 
> face meeting in February 2013 and has brought together forum members 
> and outside participants to craft a document which we believe will 
> help improve the security of the ecosystem. Forum members in the 
> working group include: Comodo, Digicert, Entrust, ETSI, Federal PKI, 
> Firmaprofessional,  Globalsign, Izenpe, Microsoft, Starcom, SwissSign, 
> Symantec, Trend Micro, WoSign as well as non-members: Cacert, 
> Intarsys, OTA, Richter, and Travelport.
>
> The stated goal of the group was to: "Create a set of baseline 
> requirements for code signing that will reduce the incidence of signed 
> malware". We strived to work on 3 sub goals, which are by no means 
> 100% solved. However we feel that the document reflects progress 
> towards these goals which were:
>
> 1.Minimize private key theft by moving toward more secure key storage 
> (protection of private keys)
>
> 2.Baseline authentication and vetting procedures for all parties
>
> 3.Information sharing (notification/revocation) for fraud detection. 
> This piece was moved to the Information Sharing Working Group
>
> We ask all members to review the document and provide feedback for 
> discussion to the forum. The guidelines would go into effect one year 
> after forum approval.
>
> Thanks,
>
>
> Dean Coclin and Jeremy Rowley
>
> on behalf of the
>
> Code Signing Working Group
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20150813/c0c85a93/attachment-0003.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4035 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.cabforum.org/pipermail/public/attachments/20150813/c0c85a93/attachment-0001.p7s>

More information about the Public mailing list