[cabfpub] Pre-Ballot: Code Signing Baseline Requirements
kirk_hall at trendmicro.com
kirk_hall at trendmicro.com
Thu Nov 19 19:58:35 UTC 2015
Trend Micro will endorse.
From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] On Behalf Of Dean Coclin
Sent: Thursday, November 19, 2015 11:01 AM
Subject: [cabfpub] Pre-Ballot: Code Signing Baseline Requirements
The Code Signing Working Group of the CA/Browser Forum has completed its work on Version 1 of the Code Signing Baseline Requirements. The Working Group has been meeting over the last 2+ years to develop and bring this topic to the Forum for approval.
This Working Group was chartered by the Forum at the Mozilla face to face meeting in February 2013 and has brought together forum members and outside participants to craft a document which we believe will help improve the security of the ecosystem. Forum members in the working group include: Comodo, Digicert, Entrust, ETSI, Federal PKI, Firmaprofessional, Globalsign, Izenpe, Microsoft, Startcom, SwissSign, Symantec, Trend Micro, WoSign as well as non-members: Cacert, Intarsys, OTA, Richter, and Travelport. Also, there have been several public commenting periods which resulted in changes and revisions to the document.
The stated goal of the group was to: "Create a set of baseline requirements for code signing that will reduce the incidence of signed malware". We strived to work on 3 sub goals, which are by no means 100% solved. However we feel that the document reflects progress towards these goals which were:
1. Minimize private key theft by moving toward more secure key storage (protection of private keys)
2. Baseline authentication and vetting procedures for all parties
3. Information sharing (notification/revocation) for fraud detection. This piece was moved to the Information Sharing Working Group
The document is now final and no further changes are being accepted. Comments and suggestions will be accumulated for a future version of the document.
The group is seeking 2 endorsers for the ballot below:
- - - - Motion for Ballot XXX - - - -
Be it resolved that the CA / Browser Forum adopts the recommendation of the Code Signing Working Group for Version 1.0 of the Baseline Requirements for Code Signing. Once adopted the effective date will be October 1, 2016.
- - - - Motion Ends - - - -
The review period for this ballot shall commence at 2200 UTC on 3 Dec 2015, and will close at 2200 UTC on 10 Dec 2015. Unless the motion is withdrawn during the review period, the voting period will start immediately thereafter and will close at 2200 UTC on 17 Dec 2015. Votes must be cast by posting an on-list reply to this thread.
A vote in favor of the motion must indicate a clear 'yes' in the response. A vote against must indicate a clear 'no' in the response. A vote to abstain must indicate a clear 'abstain' in the response. Unclear responses will not be counted. The latest vote received from any representative of a voting member before the close of the voting period will be counted. Voting members are listed here:
In order for the motion to be adopted, two thirds or more of the votes cast by members in the CA category and greater than 50% of the votes cast by members in the browser category must be in favor. Quorum is currently nine (9) members- at least nine members must participate in the ballot, either by voting in favor, voting against, or abstaining.
TREND MICRO EMAIL NOTICE
The information contained in this email and any attachments is confidential
and may be subject to copyright or other intellectual property protection.
If you are not the intended recipient, you are not authorized to use or
disclose this information, and we request that you notify us by reply mail or
telephone and delete the original message from your mail system.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Public