[cabfpub] Ballot FORUM-8: Charter to Establish a Code Signing Certificate Working Group
Dimitris Zacharopoulos (HARICA)
dzacharo at harica.gr
Fri Feb 22 10:34:38 UTC 2019
Ben,
There is an issue with numbered items in sections 4.2.1 and 4.2.2. You
need to restart the numbering.
Thanks you,
Dimitris.
On 22/2/2019 2:00 π.μ., Ben Wilson via Public wrote:
>
> *Ballot FORUM-8: Charter to Establish a Code Signing Certificate
> Working Group*
>
> *Purpose of Ballot*
>
> It is proposed that the Forum establish a working group to adopt and
> maintain a policy, framework, and set of standards related to the
> issuance and management of code signing certificates by a third-party
> Certificate Issuer, rather than by the platform supplier (i.e.
> Certificate Consumer) itself. The work would be based on the Forum’s
> prior adoption of the EV Code Signing Guidelines, version 1.4, (Ballot
> 172; 5 July 2016), and additional work by Forum members who expressly
> agreed to operate pursuant to the Forum’s IPR Policy, between 2013 and
> 2015, which resulted in a failed proposal to adopt a set of baseline
> requirements for the issuance and management of code signing
> certificates
> (https://cabforum.org/wp-content/uploads/Code-Signing-Requirements-2015-11-19.pdf;
> https://cabforum.org/2015/12/17/ballot-158).
>
> It is proposed by Ben Wilson of DigiCert and endorsed by Mike Reilly
> of Microsoft and Bruce Morton of Entrust Datacard that the Forum
> charter a working group to operate in accordance with the Scope and
> other provisions that follow. This Charter will take effect upon
> approval of the CAB Forum by ballot conducted in accordance with Bylaw
> 5.3.
>
> *— BALLOT BEGINS —*
>
> *Code Signing Certificate Working Group Charter*
>
> *Introduction*
>
> This introduction provides general information and context with an
> intent to assist the interpretation of this Charter.
>
> A code signing certificate contains the public key corresponding to a
> private key that is used by a person or organization to digitally sign
> data—such data usually containing instructions (i.e. “code”) for
> hardware to perform certain tasks. A code signing certificate can be
> identified by the existence of an Extended Key Usage (EKU) Object
> Identifier (OID) of 1.3.6.1.5.5.7.3.3.
>
> The objective of a code signing certificate is to provide a
> cryptographic way to identify the source of code. There are a variety
> of functional models and use cases whereby a code signing certificate
> is issued by a Certificate Issuer to a Subscriber for use in signing
> code that will run on a particular computing platform or group of
> platforms. (Each platform supplier determines how a chain between a
> trusted root CA certificate and the code signing certificate will be
> created and verified.)
>
> The primary use case under consideration for the working group is a
> model whereby the platform supplier accepts code signing certificates
> issued by a third-party Certificate Issuer. A common example of this
> model is Microsoft’s Authenticode, although others exist.
>
> Other functional models include those which allow developers to
> self-sign code and those in which the platform supplier manages the
> code signing or certificate issuance process, and these models are
> expressly excluded from the working group’s mandate. Common examples
> of these models that are expressly excluded from the scope of
> guidelines to be promulgated by the working group are Apple’s
> Developer ID program and Google’s Android.
>
>
> Chartering of the Code Signing Certificate Working Group
>
> Upon approval of the CAB Forum by ballot, the Code Signing Certificate
> Working Group (“CSCWG”) is created to perform the activities as
> specified in this Charter, subject to the terms and conditions of the
> CA/Browser Forum Bylaws and Intellectual Property Rights (IPR) Policy,
> as such documents may change from time to time. In the event of a
> conflict between this Charter and any provision in either the Bylaws
> or the IPR Policy, the provision in the Bylaws or IPR Policy SHALL
> take precedence. The definitions found in the Forum’s Bylaws SHALL
> apply to capitalized terms in this Charter.
>
>
> 1Scope
>
> The authorized scope of the CSCWG SHALL be to discuss, adopt, and
> maintain policies, frameworks, and sets of standards related to the
> issuance and management of code signing certificates by third-party
> Certificate Issuers under a publicly trusted root (and not code
> signing certificates issued under a private root CA), limited as follows:
>
> 1. EV Code Signing Guidelines, v. 1.4 and subsequent versions
> 2. Version 1.0 Draft of November 19, 2015, Baseline Requirements for
> the Issuance and Management of Publicly-Trusted Code Signing
> Certificates (subject to the CSCWG making a written finding that
> the provenance of such document is sufficiently covered by the
> Forum’s IPR Policy)
> 3. Verification requirements for issuance/renewal of code signing
> certificates
> 4. Subscriber protection of private keys, including keys stored in
> the cloud
> 5. Certificate issuance and revocation
> 6. Requirements/controls on use of code signing certificates
> 7. Mechanisms to engage with AV vendors, researchers, and others
> regarding signed malware
> 8. Certificate profiles for code signing certificates and Issuing CA
> certificates (including the appropriateness of extensions and when
> those extensions should be present)
> 9. Certificate issuance and revocation
> 10. CA operational practices, physical/logical security, etc.
>
> The CSCWG SHALL exercise caution to ensure that its work product does
> not impede the issuance of other EKU types.
>
>
> 2Out of Scope
>
> The CSCWG SHALL NOT develop guidelines, standards, or requirements
> applicable to:
>
> 1. Self-signed code;
> 2. Platform suppliers / Certificate Consumers;
> 3. Certificates issued under a root certificate that is not publicly
> trusted, even though they are managed by Certificate Issuers or
> other third-party service providers; or
> 4. The code signing or certificate issuance process when managed by a
> platform supplier / Certificate Consumer.
>
>
> 3Charter Expiration
>
> The CSCWG is chartered until it is dissolved as specified in Bylaw
> 5.3.2(c).
>
>
> 4Personnel and Participation
>
>
> 4.1Selection of Officers
>
> Dean Coclin will act as chair of the CSCWG until the first Working
> Group Teleconference, at which time the group will select a chair and
> vice-chair. The chair and vice-chair will serve until October 31,
> 2020, or until they are replaced, resign, or are otherwise
> disqualified. Thereafter, elections SHALL be held for chair and vice
> chair every two (2) years in coordination with the Forum’s election
> process and in conjunction with its election cycle. Officer elections
> SHALL occur in accordance with Bylaw 4.1(c).
>
>
> 4.2Eligibility to Participate, Suspension, and Termination of
> Membership in CSCWG
>
>
> 4.2.1Eligibility to Participate
>
> The CSCWG SHALL consist of two classes of voting members, Certificate
> Issuers and Certificate Consumers meeting the eligibility criteria below:
>
> (1)A Certificate Issuer eligible for voting membership in the CSCWG
> MUST have a publicly-available audit report or attestation statement
> in accordance with one of the following schemes:
>
> 1. WebTrust for CAs v.2.0 or newer; or
> 2. ETSI EN 319 411-1, which includes normative references to ETSI EN
> 319 401 (the latest version of the referenced ETSI documents
> should be applied); or
> 3. If a Government Certificate Issuer is required by its Certificate
> Policy to use a different internal audit scheme, it MAY use such
> scheme provided that the audit either (a) encompasses all
> requirements of one of the above schemes or (b) consists of
> comparable criteria that are available for public review.
>
> These audit reports must also meet the following requirements:
>
> 4. They must report on the operational effectiveness of controls for
> a historic period of at least 60 days;
> 5. No more than 27 months have elapsed since the beginning of the
> reported-on period and no more than 15 months since the end of the
> reported-on period; and
> 6. The audit report was prepared by a Qualified Auditor.
>
> In addition, the Certificate Issuer MUST actively issue code signing
> certificates that are accepted for use in computing platforms in which
> the platform supplier accepts code signing certificates issued by such
> Certificate Issuer.
>
> (2)A Certificate Consumer (i.e. a platform supplier) eligible for
> voting membership in the CSCWG must produce a computing platform that
> accepts code signing certificates issued by third-party Certificate
> Issuers who meet criteria set by such Certificate Consumer.
>
>
> 4.2.2Membership Application/Declaration process
>
> 1. An Applicant not already a member of the Forum SHALL provide the
> following information:
>
> 7. Confirmation that the applicant satisfies at least one (1) of the
> membership eligibility criteria (and if it satisfies more than one
> (1), indication of the single category under which the applicant
> wishes to apply).
> 8. The organization name, as they wish it to appear on the Forum Web
> site and in official Forum documents.
> 9. URL of the applicant's main Web site.
> 10. Names and email addresses of employees who will participate in the
> Working Group and Forum as Member representatives.
> 11. Emergency contact information for security issues related to
> certificate trust.
>
> Applicants that qualify as Certificate Issuers or Root Certificate
> Issuers must supply the following additional information:
>
> 12. URL of the current qualifying audit report.
> 13. The URL of at least one third party website that includes a
> certificate issued by the Applicant in the certificate chain.
> 14. Links or references to issued end-entity certificates that
> demonstrate them being treated as valid by a Certificate Consumer
> Member.
>
> Such Applicant SHALL become a Member once the CSCWG has determined by
> consensus among the Members during a CSCWG Meeting or Teleconference
> that the Applicant meets all of the requirements above or, upon the
> request of any Member of the CSCWG, by a Ballot among Members of the
> CSCWG. Acceptance by consensus shall be determined or a Ballot of the
> Members shall be held as soon as the Applicant indicates that it has
> presented all information required above and has responded to all
> follow-up questions from the CSCWG and the Member has complied with
> the requirements of Bylaw 5.5.
>
> Certificate Issuer applicants that are not actively issuing code
> signing certificates but otherwise meet these membership criteria MAY
> request to the CSCWG that they be granted an invitation for Associate
> Member status in accordance with Bylaw 3.1, subject to conditions
> designated by the CSCWG.
>
> The CSCWG SHALL allow participation by Interested Parties, as set
> forth in the Bylaws.
>
> 2. Existing CAB Forum Members seeking to participate in the CSCWG, in
> accordance to Bylaw 5.3.1(c), MUST formally declare their intent
> to participate in writing and provide the CSCWG Chair with this
> declaration and evidence that they meet the criteria set forth
> above. Such Applicants SHALL become Members of the CSCWG as
> determined by consensus during a CSCWG Meeting or Teleconference,
> or upon the request of any Member of the CSCWG, by a Ballot among
> Members of the CSCWG.
>
> In order to determine the composition of the initial set of CSCWG
> Members, at least twenty-four (24) hours prior to the initial meeting
> of the CSCWG, the CSCWG Chair SHALL publish a list of Members seeking
> to participate who he determines meet the criteria set forth above. As
> the first order of business at the first meeting of the CSCWG, those
> organizations on the Chair’s list of proposed, qualifying Members
> SHALL vote to determine the initial set of CSCWG Members.
>
>
> The Chair of the CSCWG SHALL establish a list for declarations of
> participation and manage it in accordance with the Bylaws, the IPR
> Policy, and the IPR Policy Agreement.
>
>
> 4.2.3Ending Working Group Membership
>
> Members may resign from the CSCWG at any time. Resignation or other
> termination of membership in the CSCWG does not prevent a Member from
> potentially having continuing obligations, under the Forum's IPR
> Policy or any other document.
>
> A Certificate Consumer Member's membership will automatically cease if
> any of the following become true:
>
> 1.it stops providing updates for its membership-qualifying software
> product; and
>
> 2.six (6) months have elapsed since the last such published update.
>
> A Certificate Issuer’s membership in the CSCWG may be suspended if any
> of the following become true:
>
> 1.it fails to perform and disclose its membership-qualifying audit and
> fifteen (15) months have elapsed since the end of the audit period of
> its last successful membership-qualifying audit;
>
> 2.its membership-qualifying audit is revoked, rescinded or withdrawn;
>
> 3.fifteen (15) months have elapsed since the end of the audit period
> of its last successful membership-qualifying audit; or
>
> 4.it is no longer the case that its currently-issued certificates are
> treated as valid by at least one Certificate Consumer Member of the CSCWG.
>
> Any Member who believes one of the above circumstances is true of any
> other Member may report it on the CSCWG’s Public Mail List. The CSCWG
> Chair will then investigate, including asking the reported Member for
> an explanation or appropriate documentation. If evidence of continued
> qualification for membership is not forthcoming from the reported
> Member within five (5) working days, the CSCWG Chair will announce
> that such Member is suspended, such announcement to include the basis
> upon which the suspension has been made.
>
> A suspended Member who believes it has then re-met the membership
> criteria under the relevant clauses shall post its evidence to the
> CSCWG Public Mail List or provide evidence to the CSCWG Chair who
> SHALL post it to the CSCWG Public Mail List. The CSCWG Chair will
> examine the evidence and unsuspend the member, or not, by announcement
> to the CSCWG Public Mail List. A Member's membership will
> automatically cease six months after it becomes suspended if the
> Member has not re-met the membership criteria by that time.
>
> While suspended, a Member may participate in CSCWG Meetings, CSCWG
> Teleconferences, and on the CSCWG's discussion lists, but may not
> propose or endorse ballots or take part in any form of voting.
>
> Votes cast before the announcement of a Member's suspension will stand.
>
> *//*
>
>
> 5*Voting and Other Organizational Matters*
>
>
> 5.1Voting Structure
>
> The rules described in Bylaw 2.3 and 2.4 SHALL apply to all ballots,
> including Draft Guideline Ballots.
>
> In order for a ballot to be adopted by the Code Signing Certificates
> Working Group, two-thirds or more of the votes cast by the Certificate
> Issuers must be in favor of the ballot and more than 50% of the votes
> cast by the Certificate Consumers must be in favor of the ballot. At
> least one member of each class must vote in favor of a ballot for it
> to be adopted. Quorum is the average number of Member organizations
> (cumulative, regardless of Class) that have participated in the
> previous three (3) Code Signing Certificate Working Group Meetings or
> Teleconferences (not counting subcommittee meetings thereof). For
> transition purposes, if three (3) meetings have not yet occurred,
> quorum is three (3).
>
>
> 5.2Other Organizational Matters
>
> (a) The Chair may delegate any of his/her duties to the Vice Chair as
> necessary. The Vice Chair has the authority of the Chair in the event
> of any absence or unavailability of the Chair, and in such
> circumstances, any duty delegated to the Chair herein may be performed
> by the Vice Chair. For example, the Vice Chair may preside at CSCWG
> Meetings and Teleconferences in the Chair’s absence.
>
> (b) CSCWG-created Subcommittees may be approved either (1) by formal
> ballot as described in Bylaw 2.3 or (2) by simple majority vote of
> those members present at a regularly scheduled CSCWG Meeting or
> Teleconference provided that the proposal is mentioned in an agenda
> circulated on the CSCWG Public Mail List at least forty-eight (48)
> hours prior to the CWG Meeting or Teleconference.
>
> **
>
>
> 6Summary of Major Deliverables
>
> The deliverables of the CSCWG are defined in the Scope section above.
>
>
> 7Primary Means of Communication
>
> (a) The CSCWG SHALL appoint a webmaster to maintain the CSCWG’s pages
> on the wiki and the Forum’s Public Web Site.
>
> (b) The CSCWG will communicate primarily through listserv-based email
> in accordance with Bylaw 5.3.1(d). The CSCWG List SHALL be available
> to the public, who will not have posting privileges (i.e. anyone may
> subscribe to receive messages and the list may be crawled and indexed
> by Internet search engines).
>
> (c) The CSCWG SHALL conduct periodic calls or face-to-face meetings as
> needed. Minutes SHALL be kept, and such minutes SHALL be made public
> in accordance with Bylaw 5.2.
>
>
> 8IPR Policy and Antitrust Policy
>
> As with all Forum Working Group activity, the IPR Policy, v1.3 or
> later, SHALL apply to all activities and work of the CSCWG. All
> Participants in the CSCWG SHALL have on file with the Forum a valid,
> signed IPR Policy Agreement (v.1.3). A previously submitted IPR Policy
> Agreement (v1.3) by an existing Member of the Forum shall suffice as
> meeting the obligation under section 4.5 of the IPR Policy that a
> Participant in the CSCWG commit to CAB Forum License requirements.
>
> In accordance with the Forum’s antitrust policy, an antitrust
> compliance statement SHALL be read at the start of all Working Group
> Meetings, in substantially the form written in Bylaw 1.3.
>
>
> --- MOTION ENDS---
>
> The procedure for approval of this ballot is as follows:
>
> *Discussion Period (7+ days):*
>
> Start Time: Friday, 22-February-2019 at 0100 UTC
>
> End Time: Friday, 1-March-2019 at 0100 UTC
>
> *Vote for Approval (7 days):*
>
> Start Time: Friday, 1-March-2019 at 0100 UTC
>
> End Time: Friday, 8-March-2019 at 0100 UTC
>
>
> _______________________________________________
> Public mailing list
> Public at cabforum.org
> https://cabforum.org/mailman/listinfo/public
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20190222/89080cae/attachment-0003.html>
More information about the Public
mailing list