[cabfpub] Pre-Ballot: Code Signing Baseline Requirements

Dean Coclin Dean_Coclin at symantec.com
Thu Nov 19 19:00:52 UTC 2015

The Code Signing Working Group of the CA/Browser Forum has completed its
work on Version 1 of the Code Signing Baseline Requirements.  The Working
Group has been meeting over the last 2+ years to develop and bring this
topic to the Forum for approval. 


This Working Group was chartered by the Forum at the Mozilla face to face
meeting in February 2013 and has brought together forum members and outside
participants to craft a document which we believe will help improve the
security of the ecosystem. Forum members in the working group include:
Comodo, Digicert, Entrust, ETSI, Federal PKI, Firmaprofessional,
Globalsign, Izenpe, Microsoft, Startcom, SwissSign, Symantec, Trend Micro,
WoSign as well as non-members: Cacert, Intarsys, OTA, Richter, and
Travelport.  Also, there have been several public commenting periods which
resulted in changes and revisions to the document. 


The stated goal of the group was to: "Create a set of baseline requirements
for code signing that will reduce the incidence of signed malware". We
strived to work on 3 sub goals, which are by no means 100% solved. However
we feel that the document reflects progress towards these goals which were:

1.       Minimize private key theft by moving toward more secure key storage
(protection of private keys)

2.       Baseline authentication and vetting procedures for all parties

3.       Information sharing (notification/revocation) for fraud detection.
This piece was moved to the Information Sharing Working Group


The document is now final and no further changes are being accepted.
Comments and suggestions will be accumulated for a future version of the


The group is seeking 2 endorsers for the ballot below:

- - - - Motion for Ballot XXX - - - -

Be it resolved that the CA / Browser Forum adopts the recommendation of the
Code Signing Working Group for Version 1.0 of the Baseline Requirements for
Code Signing. Once adopted the effective date will be October 1, 2016.

- - - - Motion Ends - - - -

The review period for this ballot shall commence at 2200 UTC on 3 Dec 2015,
and will close at 2200 UTC on 10 Dec 2015. Unless the motion is withdrawn
during the review period, the voting period will start immediately
thereafter and will close at 2200 UTC on 17 Dec 2015. Votes must be cast by
posting an on-list reply to this thread. 


A vote in favor of the motion must indicate a clear 'yes' in the response. A
vote against must indicate a clear 'no' in the response. A vote to abstain
must indicate a clear 'abstain' in the response. Unclear responses will not
be counted. The latest vote received from any representative of a voting
member before the close of the voting period will be counted. Voting members
are listed here: 




In order for the motion to be adopted, two thirds or more of the votes cast
by members in the CA category and greater than 50% of the votes cast by
members in the browser category must be in favor. Quorum is currently nine
(9) members- at least nine members must participate in the ballot, either by
voting in favor, voting against, or abstaining.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20151119/a05cfda8/attachment-0002.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Code Signing Requirements 2015-11-19.pdf
Type: application/pdf
Size: 799269 bytes
Desc: not available
URL: <http://lists.cabforum.org/pipermail/public/attachments/20151119/a05cfda8/attachment-0002.pdf>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5747 bytes
Desc: not available
URL: <http://lists.cabforum.org/pipermail/public/attachments/20151119/a05cfda8/attachment.p7s>

More information about the Public mailing list