[cabfpub] [cabfc_s] Code Signing Baseline Requirements

Dean Coclin Dean_Coclin at symantec.com
Thu Aug 13 15:46:26 UTC 2015


Rich,

We'll be discussing another proposed update on today's call which is at noon
EST if you want to join.

Dean

 

From: Rich Smith [mailto:richard.smith at comodo.com] 
Sent: Thursday, August 13, 2015 9:24 AM
To: Dean Coclin
Cc: Jody Cloutier; Ben Wilson; 'CABFPub'; codesigning at cabforum.org
Subject: Re: [cabfpub] [cabfc_s] Code Signing Baseline Requirements

 

OK, thanks Dean.  It seemed like it had been further back than February, and
I was concerned that perhaps the document had undergone significant changes
since the public review.  That seems not to be the case, so I'm fine with
moving forward.
-Rich

On 8/12/2015 5:10 PM, Dean Coclin wrote:

Hi Rich,

Yes, we did put out a version for public comment in February. We took those
comments back along with others that surfaced during the re-review process
and have come out with this document. So technically this is not another
review period. Having said that, we never say no to any comments which the
group feels need to be addressed.

 

Dean

 

From: Jody Cloutier [mailto:jodycl at microsoft.com] 
Sent: Wednesday, August 12, 2015 12:00 PM
To: Ben Wilson; richard.smith at comodo.com; Dean Coclin; 'CABFPub'
Cc: codesigning at cabforum.org
Subject: RE: [cabfpub] [cabfc_s] Code Signing Baseline Requirements

 

What is the purpose of the additional review period? Are we accepting
modifications during this timeframe? 

 

From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] On
Behalf Of Ben Wilson
Sent: Wednesday, August 12, 2015 8:58 AM
To: richard.smith at comodo.com; 'Dean Coclin' <Dean_Coclin at symantec.com>;
'CABFPub' <public at cabforum.org>
Cc: codesigning at cabforum.org
Subject: Re: [cabfpub] [cabfc_s] Code Signing Baseline Requirements

 

I think we've already done that, unless you're suggesting that we go out for
another 30-day review period.  It would be good to map out proposed dates
when everything is supposed to occur.

 

From: codesigning-bounces at cabforum.org
[mailto:codesigning-bounces at cabforum.org] On Behalf Of Rich Smith
Sent: Wednesday, August 12, 2015 9:48 AM
To: 'Dean Coclin' <Dean_Coclin at symantec.com>; 'CABFPub'
<public at cabforum.org>
Cc: codesigning at cabforum.org
Subject: Re: [cabfc_s] [cabfpub] Code Signing Baseline Requirements

 

Dean said:

The Working Group would like to have the Forum approve these Baseline
Requirements by ballot which will be put forth at the next teleconference.
Discussion will start at that time, followed by a formal vote.

 

Dean, as this is an entirely new full set of guidelines, this seems fast for
a ballot and vote.  With the BRs as I recall, we circulated to the public
and had, I believe, a 30 day public comment period, after which time it was
brought back in house to address any issues before being then proposed for
final ballot review and approval.  Shouldn't we do the same here?

 

-Rich

 

 

From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] On
Behalf Of Dean Coclin
Sent: Tuesday, August 11, 2015 4:31 PM
To: CABFPub
Cc: codesigning at cabforum.org
Subject: [cabfpub] Code Signing Baseline Requirements

 

The Code Signing Working Group of the CA/Browser Forum is pleased to
announce the release of the final version of the Code Signing Baseline
Requirements. The Working Group has been meeting over the last 2 years to
develop and bring this topic to the Forum for approval. 

 

The Working Group would like to have the Forum approve these Baseline
Requirements by ballot which will be put forth at the next teleconference.
Discussion will start at that time, followed by a formal vote.

 

This Working Group was chartered by the Forum at the Mozilla face to face
meeting in February 2013 and has brought together forum members and outside
participants to craft a document which we believe will help improve the
security of the ecosystem. Forum members in the working group include:
Comodo, Digicert, Entrust, ETSI, Federal PKI, Firmaprofessional,
Globalsign, Izenpe, Microsoft, Starcom, SwissSign, Symantec, Trend Micro,
WoSign as well as non-members: Cacert, Intarsys, OTA, Richter, and
Travelport.

 

The stated goal of the group was to: "Create a set of baseline requirements
for code signing that will reduce the incidence of signed malware". We
strived to work on 3 sub goals, which are by no means 100% solved. However
we feel that the document reflects progress towards these goals which were:

1.       Minimize private key theft by moving toward more secure key storage
(protection of private keys)

2.       Baseline authentication and vetting procedures for all parties

3.       Information sharing (notification/revocation) for fraud detection.
This piece was moved to the Information Sharing Working Group

 

We ask all members to review the document and provide feedback for
discussion to the forum. The guidelines would go into effect one year after
forum approval.

 

Thanks,


Dean Coclin and Jeremy Rowley

 

on behalf of the

Code Signing Working Group

 

 

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20150813/91038548/attachment-0003.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5747 bytes
Desc: not available
URL: <http://lists.cabforum.org/pipermail/public/attachments/20150813/91038548/attachment-0001.p7s>


More information about the Public mailing list