[cabfpub] Code Signing and SMIME Working Group Charter Drafting

Ryan Sleevi sleevi at google.com
Fri Nov 30 01:57:04 UTC 2018

On Thu, Nov 29, 2018 at 5:05 PM Bruce Morton via Public <public at cabforum.org>

> Hi Ben,
> I thought that I would provide some input on Code Signing and hopefully it
> will be considered for the charter.
> The public CAs are currently working with two orphaned code signing
> certificate guidelines. Here are some issues:
> ·        Documents are be out of date as such software suppliers, CAs,
> subscribers and relying parties are not benefiting from lessons learned or
> ecosystem updates
> ·        Clients of software suppliers may be at higher risk than
> necessary
> ·        Subscribers of code signing certificates are required to meet
> dated specifications which may be costly
> ·        Cloud provision of subscriber HSM has not been addressed
> ·        The two documents specify different requirements to address the
> same problem
> ·        CAs that issue both OV and EV code signing certificates must
> manage two sets of controls
> ·        CAs that issue both OV and EV will have to undergo two different
> audits in 2019
> It would be great if an outcome of the Working Group is one document for
> code signing certificates. I think that the one document can address both
> the EV and OV code signing certificate types, especially since many of the
> requirements are just references to the Baseline Requirements or EV SSL
> Guidelines.
> I would also consider creating a Time-stamp certificate document. The
> advantage is that we could set a standard for time-stamp certificate and
> time-stamp authorities to support code signing, document signing, etc.

I would suggest that this be out of scope of Code Signing - there are
significant differences, there exist industry standards already (within the
IETF and within ETSI), and these have different purposes: timestamping
extends beyond code-signing, as you note.

> I would be interested in helping out with the Code Signing Working Group
> charter drafting.

As noted, Google is very concerned that, given the confusion the market
shares around what the CA/Browser Forum is and is not, a code signing WG
may be seen as either impacting non-third-party mediated code signing, or
somehow encouraging third-party mediated code-signing as being an
improvement over first-party mediated code-signing, which it is not.

In this regard, and as discussed during the Shanghai F2F, ensuring that the
scope of any charter makes it very clear that the scope of activities, and
work product, are specifically limited to those software suppliers that
engage with third-party CAs to perform identity validation and assessment,
and to explicitly exclude from the scope, goals, and activities the broader
discussion of code-signing, including that of first-party mediated
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20181129/68d79cd3/attachment-0003.html>

More information about the Public mailing list