[cabfpub] Ballot 158: Adopt Code Signing Baseline Requirements

Sigbjørn Vik sigbjorn at opera.com
Mon Dec 14 04:58:34 MST 2015 

While we believe this document contains a lot of improvements, we are
not yet ready to support it. Opera therefore votes "NO".

Our concerns have been brought up before, some have been allayed in this
version, but there are still some remaining.

In general we are still not convinced that this has had sufficient
consideration among subscribers and software vendors.

* This will obligate subscribers to use particular ways of protecting
keys, which may be less secure and less practical than currently. At
least for Opera this will be the case. We currently keep an offline
signing machine in a secure storage, and bring items to be signed to the
machine. The new guidelines stipulate that we must keep the key on a USB
stick instead. (The other solutions do not support key backup, so are
not usable.) In practice, this means that the key is less protected, may
easily disappear, and that the signing code will be on an online
computer - compromise of that computer is almost as bad as compromise of
the key itself.
* The definition of suspect code includes code which contains "serious
vulnerabilities". In some cases software vendors (e.g. browsers) may
wish to ship an update for one serious vulnerability, while still
working on fixing another. This is precluded with the existing defintion.
* We see no reason to copyright the document. (We do not consider "did
in the past" a reason.) That the current statement precludes copying
only parts of the document, makes it particularly problematic.
* The password requirements for transport of the key are overly strict,
especially as the physical device containing the key has to be
transported to and from the signing computer all the time. Either
constrain the password requirements to electronic transportation, or
reduce them.
* "LLCs", "CISA" and "DBA" ought to be defined before accepting this
document.
* "the CA must revoke the certificate except if the CA has documented
proof (e.g., OCSP logs) that this will cause significant impact to the
general public." We do not want this to be a loophole, where a CA can
choose not revoke certificates for their own reasons, and not tell
anyone. Some way of ensuring a consistent interpretation of this is
needed. A simple way would be to inform the the CA/B Forum. Other ways
may be devised.

A general comment to the guidelines, as it seems there is a
misunderstanding. "SHOULD" and "should" have the same meaning in the
document, RFC 2119 makes no case distinction, neither does the document.
Documents which wish to clearly separate, should state this where they
define the meanings. It suffices to add e.g. "when used in upper case".

On 14-Dec-15 10:45, Adriano Santoni wrote:
> Actalis votes "YES".
> 
> Il 14/12/2015 09:45, Robin Alden ha scritto:
>>
>> Comodo votes Yes.
>>
>>  
>>
>> Regards
>>
>> Robin Alden
>>
>> Comodo
>>
>>  
>>
>>  
>>
>> *From:*public-bounces at cabforum.org
>> [mailto:public-bounces at cabforum.org] *On Behalf Of *Doug Beattie
>> *Sent:* 11 December 2015 22:01
>> *To:* CABFPub <public at cabforum.org>
>> *Subject:* Re: [cabfpub] Ballot 158: Adopt Code Signing Baseline
>> Requirements
>>
>>  
>>
>> GlobalSign votes Yes
>>
>>  
>>
>>  
>>
>> *From:*<mailto:public-bounces at cabforum.org>public-bounces at cabforum.org
>> [mailto:public-bounces at cabforum.org] *On Behalf Of *Dean Coclin
>> *Sent:* Friday, December 11, 2015 4:36 PM
>> *To:* CABFPub <public at cabforum.org <mailto:public at cabforum.org>>
>> *Subject:* Re: [cabfpub] Ballot 158: Adopt Code Signing Baseline
>> Requirements
>>
>>  
>>
>> Symantec votes YES
>>
>>  
>>
>> Dean Coclin
>>
>>  
>>
>> *From:*public-bounces at cabforum.org
>> <mailto:public-bounces at cabforum.org>
>> [mailto:public-bounces at cabforum.org] *On Behalf Of *Dean Coclin
>> *Sent:* Thursday, December 03, 2015 1:24 PM
>> *To:* CABFPub
>> *Subject:* Re: [cabfpub] Ballot 158: Adopt Code Signing Baseline
>> Requirements
>>
>>  
>>
>> Adding public link to final version:
>> https://cabforum.org/wp-content/uploads/Code-Signing-Requirements-2015-11-19.pdf
>>
>>  
>>
>>  
>>
>> *From:*public-bounces at cabforum.org
>> <mailto:public-bounces at cabforum.org>
>> [mailto:public-bounces at cabforum.org] *On Behalf Of *Dean Coclin
>> *Sent:* Thursday, December 03, 2015 4:04 PM
>> *To:* CABFPub
>> *Subject:* [cabfpub] Ballot 158: Adopt Code Signing Baseline Requirements
>>
>>  
>>
>> After a 2 week pre-ballot, the Code Signing Working Group has now
>> prepared the formal ballot below:
>>
>> _ _
>>
>> _Ballot 158: Adopt Code Signing Baseline Requirements_
>>
>>  
>>
>> The following motion is proposed by the Code Signing Working Group and
>> is endorsed by Microsoft, Trend Micro and OATI. Further information on
>> the ballot is in the email message below.
>>
>> *- - - - Motion for Ballot 158 - - - -*
>>
>> Be it resolved that the CA / Browser Forum adopts the recommendation
>> of the Code Signing Working Group for Version 1.0 of the Baseline
>> Requirements for Code Signing. Once adopted, the effective date will
>> be October 1, 2016.
>>
>> *- - - - Motion Ends - - - -*
>>
>> The review period for this ballot shall commence at 2200 UTC on 3 Dec
>> 2015, and will close at 2200 UTC on 10 Dec 2015. Unless the motion is
>> withdrawn during the review period, the voting period will start
>> immediately thereafter and will close at 2200 UTC on 17 Dec 2015.
>> Votes must be cast by posting an on-list reply to this thread.
>>
>>  
>>
>> A vote in favor of the motion must indicate a clear 'yes' in the
>> response. A vote against must indicate a clear 'no' in the response. A
>> vote to abstain must indicate a clear 'abstain' in the response.
>> Unclear responses will not be counted. The latest vote received from
>> any representative of a voting member before the close of the voting
>> period will be counted. Voting members are listed here:
>>
>>  
>>
>> https://cabforum.org/members/
>>
>>  
>>
>> In order for the motion to be adopted, two thirds or more of the votes
>> cast by members in the CA category and greater than 50% of the votes
>> cast by members in the browser category must be in favor. Quorum is
>> currently nine (9) members– at least nine members must participate in
>> the ballot, either by voting in favor, voting against, or abstaining.
>>
>>  
>>
>> Dean Coclin and Jeremy Rowley
>>
>> Code Signing Working Group co-chairs
>>
>>  
>>
>> *From:*<mailto:public-bounces at cabforum.org>public-bounces at cabforum.org[<mailto:public-bounces at cabforum.org>mailto:public-bounces at cabforum.org]
>> *On Behalf Of *Dean Coclin
>> *Sent:* Thursday, November 19, 2015 2:01 PM
>> *To:* CABFPub
>> *Subject:* [cabfpub] Pre-Ballot: Code Signing Baseline Requirements
>>
>>  
>>
>> The Code Signing Working Group of the CA/Browser Forum has completed
>> its work on Version 1 of the Code Signing Baseline Requirements.  The
>> Working Group has been meeting over the last 2+ years to develop and
>> bring this topic to the Forum for approval.
>>
>>  
>>
>> This Working Group was chartered by the Forum at the Mozilla face to
>> face meeting in February 2013 and has brought together forum members
>> and outside participants to craft a document which we believe will
>> help improve the security of the ecosystem. Forum members in the
>> working group include: Comodo, Digicert, Entrust, ETSI, Federal PKI,
>> Firmaprofessional,  Globalsign, Izenpe, Microsoft, Startcom,
>> SwissSign, Symantec, Trend Micro, WoSign as well as non-members:
>> Cacert, Intarsys, OTA, Richter, and Travelport.  Also, there have been
>> several public commenting periods which resulted in changes and
>> revisions to the document.
>>
>>  
>>
>> The stated goal of the group was to: “Create a set of baseline
>> requirements for code signing that will reduce the incidence of signed
>> malware”. We strived to work on 3 sub goals, which are by no means
>> 100% solved. However we feel that the document reflects progress
>> towards these goals which were:
>>
>> 1.       Minimize private key theft by moving toward more secure key
>> storage (protection of private keys)
>>
>> 2.       Baseline authentication and vetting procedures for all parties
>>
>> 3.       Information sharing (notification/revocation) for fraud
>> detection. This piece was moved to the Information Sharing Working Group
>>
>>  
>>
>> _The document is now final and no further changes are being accepted_.
>> Comments and suggestions will be accumulated for a future version of
>> the document.
>>
>>  
>>
>> The group is seeking 2 endorsers for the ballot below:
>>
>> *- - - - Motion for Ballot XXX - - - -*
>>
>> Be it resolved that the CA / Browser Forum adopts the recommendation
>> of the Code Signing Working Group for Version 1.0 of the Baseline
>> Requirements for Code Signing. Once adopted the effective date will be
>> October 1, 2016.
>>
>> *- - - - Motion Ends - - - -*
>>
>> The review period for this ballot shall commence at 2200 UTC on 3 Dec
>> 2015, and will close at 2200 UTC on 10 Dec 2015. Unless the motion is
>> withdrawn during the review period, the voting period will start
>> immediately thereafter and will close at 2200 UTC on 17 Dec 2015.
>> Votes must be cast by posting an on-list reply to this thread.
>>
>>  
>>
>> A vote in favor of the motion must indicate a clear 'yes' in the
>> response. A vote against must indicate a clear 'no' in the response. A
>> vote to abstain must indicate a clear 'abstain' in the response.
>> Unclear responses will not be counted. The latest vote received from
>> any representative of a voting member before the close of the voting
>> period will be counted. Voting members are listed here:
>>
>>  
>>
>> https://cabforum.org/members/
>>
>>  
>>
>> In order for the motion to be adopted, two thirds or more of the votes
>> cast by members in the CA category and greater than 50% of the votes
>> cast by members in the browser category must be in favor. Quorum is
>> currently nine (9) members– at least nine members must participate in
>> the ballot, either by voting in favor, voting against, or abstaining.
>>
>>  
>>
>>
>>
>> _______________________________________________
>> Public mailing list
>> Public at cabforum.org
>> https://cabforum.org/mailman/listinfo/public
> 
> -- 
> /Adriano Santoni/
> 
> 
> _______________________________________________
> Public mailing list
> Public at cabforum.org
> https://cabforum.org/mailman/listinfo/public
> 


-- 
Sigbjørn Vik
Opera Software

More information about the Public mailing list